Factoring large integers

FIELD OF THE INVENTION

The present invention is related to solving an equation in two or more unknown integer variables, where each variable is represented by a multiplicity of powers of multiples of an odd prime p. Specifically, the present invention is related to factoring an integer N₀, restating the problem into the factorization of an appropriate integer N which is a quadratic residue modulo p, then factoring N.

BACKGROUND

The problem of resolving a large integer into the product of its prime factors has stimulated the intellectual curiosity and the imagination of many generations of mathematicians.

In 1801 Gauss wrote: “. . . the dignity of the science itself seems to require that every possible means be explored for the solution of a problem so elegant and so celebrated.” See page 397 of [3].

The problem has attracted renewed interest, ever since R. L. Rivest, A. Shamir, and L. Adleman proposed an encryption method which is based on the computational difficulty of the factorization problem [4].

This note introduces a method and apparatus which lead to the factorization of a large odd integer N₀.

SUMMARY

$Z_{0} \equiv 1 6 X_{0}^{4} X_{2}^{4} (\mod N_{0})$

$Z_{1} \equiv X_{0}^{4} X_{2}^{2} (4 X_{3}^{2} - 1 6 b^{2} X_{0}^{2} a - 3 2 b^{2} X_{0} X_{1}) (\mod N_{0})$

$Z_{2} \equiv - 2 X_{0} X_{2} (\begin{matrix} 8 X_{0}^{3} X_{1}^{3} a^{3} + 36 X_{0}^{2} X_{1}^{4} a^{2} - 8 X_{0}^{3} X_{1} X_{2}^{2} a^{2} + 54 X_{0} X_{1}^{5} a - \\ 36 X_{0}^{2} X_{1}^{2} X_{2}^{2} a + 27 X_{1}^{6} - 36 X_{0} X_{1}^{3} X_{2}^{2} + 8 X_{0}^{2} X_{2}^{4} \end{matrix}) (\mod N_{0})$

$Z_{3} \equiv {(4 X_{0}^{2} X_{1}^{2} a^{2} + 1 2 X_{0} X_{1}^{3} a - 4 X_{0}^{2} X_{2}^{2} a + 9 X_{1}^{4} - 8 X_{0} X_{1} X_{2}^{2})}^{2} (\mod N_{0})$

Otherwise, the point [Z₀, Z₁, Z₂, Z₃] is:

$Z_{0} \equiv {(X_{1} Y_{0} - X_{0} Y_{1})}^{4} X_{0}^{2} Y_{0}^{2} (\mod N_{0})$

$Z_{1} \equiv X_{0}^{3} {Y_{0}^{3} (X_{1} Y_{0} - X_{0} Y_{1})}^{2} (2 b^{2} X_{0} Y_{0} + 2 X_{1} Y_{1} a + X_{3} Y_{1} - 2 X_{2} Y_{2} + X_{1} Y_{3}) (\mod N_{0})$

$Z_{2} \equiv X_{0}^{3} Y_{0}^{3} (X_{1} Y_{0} - X_{0} Y_{1}) (\begin{matrix} - 4 b^{2} X_{0} X_{2} Y_{0}^{2} + 4 b^{2} X_{0}^{2} Y_{0} Y_{2} + X_{1} X_{3} Y_{0} Y_{2} + \\ 3 X_{0} X_{3} Y_{1} Y_{2} - 3 X_{1} X_{2} Y_{0} Y_{3} - X_{0} X_{2} Y_{1} Y_{3} - \\ 2 a (X_{1} X_{2} Y_{0} Y_{1} - X_{0} X_{3} Y_{0} Y_{2} - X_{0} X_{1} Y_{1} Y_{2} + X_{0} X_{2} Y_{0} Y_{3}) \end{matrix}) (\mod N_{0})$

$Z_{3} \equiv {(\begin{matrix} {(X_{1} Y_{0} - X_{0} Y_{1})}^{2} X_{0} Y_{0} a + X_{1}^{3} Y_{0}^{3} - X_{0} X_{2}^{2} Y_{0}^{3} - X_{0} X_{1}^{2} Y_{0}^{2} Y_{1} - \\ X_{0}^{2} X_{1} Y_{0} Y_{1}^{2} X_{0}^{3} Y_{1}^{3} + 2 X_{0}^{2} X_{2} Y_{0}^{2} Y_{2} - X_{0}^{3} Y_{0} Y_{2}^{2} \end{matrix})}^{2} (\mod N_{0}) .$

There is the step of testing if any component of the third point shares a factor with N₀and is a shared factor with N₀. There is the step of identifying the shared factor with N₀as one of plurality of prime factors of N₀, and a quotient of N₀by the shared factor as another prime factor. There is the step of decrypting with the second computer the signal W with the public key N₀and prime factors of the integer N₀. There is the step of reviewing the decrypted signal W for predetermined words with the second computer to determine if the decrypted signal W indicates an act has occurred or will occur that violates a law, or will violate a law, wherein the signal W representative of the message is effectively decrypted and deciphered thereby a threat to property or individuals in violation of the law can be acted upon to mitigate or eliminate the threat before the threat occurs and actual damage to property or injury to individuals is prevented or mitigated.

Otherwise, the point [Z₀, Z₁, Z₂, Z₃] is:

There is the step of testing if any component of the third point shares a factor with N₀and is a shared factor with N₀. There is the step of identifying the shared factor with N₀as one of plurality of prime factors of N₀, and a quotient of N₀by the shared factor as another prime factor. The cpu decrypting the signal W with the public key N₀and prime factors of integer N₀. The cpu reviewing the decrypted signal W for predetermined words to determine if the decrypted signal W indicates an act has occurred or will occur that violates a law, or will violate a law, wherein the signal W representative of the message is effectively decrypted and deciphered thereby a threat to property or individuals in violation of the law can be quickly acted upon to eliminate the threat before the threat occurs and actual damage to property or injury to individuals is prevented or mitigated.

Otherwise, the point [Z₀, Z₁, Z₂, Z₃] is:

The present invention pertains to a method for decoding an encrypted electromagnetic signal W encoded by a first computer with public key N₀=r×s, where N₀, r and s are integers. The method comprises the steps of obtaining the electromagnetic signal W from a telecommunications network, or a data network or an Internet or a first non-transient memory. There is the step of storing the signal W in a second non-transient memory. There is the step of decoding with a second computer in communication with the second non-transient memory the signal W in the second non-transient memory by factoring the public key N₀in at most a time O(log⁶N₀) with the second computer generated steps of selecting a prime p and vector of positive integers k=[k₀, k₁, . . . , k_M−1]. There is the step of determining a polynomial v(x)=v₀+v₁x+ . . . +v_n−1xⁿ⁻¹such that v(p)=N is a predetermined multiple of N₀. There is the step of determining a p^k-standard polynomial A(x) such that A(x)²≡v(x) (SP_p_k), where a polynomial f(x)=f₀+f₁x+f₂x²+ . . . +f_M−1x^M−1is called p^k-standard if

0≤f_i<p^kⁱ

for i=0,1, . . . ,M−1, a p^k-standard part of the polynomial f(x) is computed by reducing the coefficient of xⁱmodulo p^kⁱand truncating all terms x^mfor m≥M. There is the step of determining a roster of pairs (U(x), V(x)) such that there is a persistent standard polynomial factorization:

(A(x)−U(x)−V(x))(A(x)+U(x)−V(x))≡v(x) (SP_p_k)

where a standard polynomial factorization v(x)≡r(x)s(x) is called persistent if r(x) and s(x) have the same degree as their reductions modulo p. There is the step of determining a shared factor that integers r(p) and s(p) share with N₀, where the shared factor with N₀as one of plurality of prime factors of N₀. There is the step of obtaining another prime factor by division of N₀by the shared factor. There is the step of identifying the shared factor with N₀as one of plurality of prime factors of N₀, and a quotient of N₀by the shared factor as another prime factor. There is the step of decrypting with the second computer the signal W with the public key N₀and prime factors of the integer N₀. There is the step of reviewing the decrypted signal W for predetermined words with the second computer to determine if the decrypted signal W indicates an act has occurred or will occur that violates a law, or will violate a law, wherein the signal W representative of the message is effectively decrypted and deciphered thereby a threat to property or individuals in violation of the law can be acted upon to mitigate or eliminate the threat before the threat occurs and actual damage to property or injury to individuals is prevented or mitigated.

The present invention pertains to a second computer for decoding an encrypted electromagnetic signal W encoded by a first computer with public key N₀=r×s, where N₀, r and s are integers and W is a function of r and s. The second computer comprises an input for obtaining the electromagnetic signal W from a telecommunications network, or a data network or an Internet or a first non-transient memory. The second computer comprises a second non-transient memory in communication with the input in which the signal W is stored. The second computer comprises a cpu in communication with the second non -transient memory with the signal W in the second non-transient memory. The cpu decodes the signal W by factoring the public key N₀in time O(log⁶N₀) by the second computer generated steps of selecting a prime p and vector of positive integers k=[k₀, k₁, . . . , k_M−1]. There is the step of determining a polynomial v(x)=v₀+v₁x+ . . . +v_n−1xⁿ⁻¹such that v(p)=N is a predetermined multiple of N₀. There is the step of determining a p^k-standard polynomial A(x) such that A(x)²≡v(x) (SP_p_k), where a polynomial f(x)=f₀+f₁x+f₂x²+ . . . +f_M−1x^M−1is called p^k-standard if

0≤f_i<p^kⁱ

for i=0,1, . . . ,M−1, a p^k-standard part of the polynomial f(x) is computed by reducing the coefficient of xⁱmodulo p^k^tand truncating all terms x^mfor m≥M. There is the step of determining a roster of pairs (U(x), V(x)) such that there is a persistent standard polynomial factorization:

(A(x)−U(x)−V(x))(A(x)+U(x)−V(x))≡v(x) (SP_p_k)

where a standard polynomial factorization v(x)≡r(x)s(x) is called persistent if r(x) and s(x) have the same degree as their reductions modulo p. There is the step of determining a shared factor that integers r(p) and s(p) share with N₀, where the shared factor with N₀as one of plurality of prime factors of N₀. There is the step of obtaining another prime factor by division of N₀by the shared factor. There is the step of identifying the shared factor with N₀as one of plurality of prime factors of N₀, and a quotient of N₀by the shared factor as another prime factor. The cpu decrypting with the second computer the signal W with the public key N₀and prime factors of the integer N₀. The cpu reviewing the decrypted signal W for predetermined words to determine if the decrypted signal W indicates an act has occurred or will occur that violates a law, or will violate a law, wherein the signal W representative of the message is effectively decrypted and deciphered thereby a threat to property or individuals in violation of the law can be acted upon to mitigate or eliminate the threat before the threat occurs and actual damage to property or injury to individuals is prevented or mitigated.

The present invention pertains to a non-transitory readable storage medium which includes a computer program stored on the storage medium for decoding an encrypted electromagnetic signal W encoded by a first computer with public key N₀=r×s, where N₀, r and s are integers and W is a function of r and s, where the signal W has been stored in a second non-transient memory of a second computer, and the second computer factoring the public key N₀in time O(log⁶N₀). The signal W obtained from a telecommunications network, or a data network or an Internet or a first non-transient memory. The computer program having the second computer generated steps of: selecting a prime p and vector of positive integers k=[k₀, k₁, . . . , k_M−1]. There is the step of determining a polynomial v(x)=v₀+v₁x+ . . . +v_n−1xⁿ⁻¹such that v(p)=N is a predetermined multiple of N₀. There is the step of determining a p^k-standard polynomial A(x) such that A(x)²≡v(x) (SP_p_k), where a polynomial f(x)=f₀+f₁x+f₂x²+ . . . +f_M−1x^M−1is called p^k-standard if

0≤f_i<p^kⁱ

for i=0,1, . . . ,M−1, a p^k-standard part of the polynomial f(x) is computed by reducing the coefficient of xⁱmodulo p^k^tand truncating all terms x^mfor m≥M. There is the step of determining a roster of pairs (U(x), V(x)) such that there is a persistent standard polynomial factorization:

(A(x)−U(x)−V(x))(A(x)+U(x)−V(x))≡v(x) (SP_p_k)

where a standard polynomial factorization v(x)≡r(x)s(x) is called persistent if r(x) and s(x) have the same degree as their reductions modulo p. There is the step of determining a shared factor that integers r(p) and s(p) share with N₀, where the shared factor with N₀as one of plurality of prime factors of N₀. There is the step of obtaining another prime factor by division of N₀by the shared factor. There is the step of identifying the shared factor with N₀as one of plurality of prime factors of N₀, and a quotient of N₀by the shared factor as another prime factor. There is the step of decrypting with the second computer the signal W with the public key N₀and prime factors of the integer N₀. There is the step of reviewing the decrypted signal W for predetermined words with the second computer to determine if the decrypted signal W indicates an act has occurred or will occur that violates a law, or will violate a law, wherein the signal W representative of the message is effectively decrypted and deciphered thereby a threat to property or individuals in violation of the law can be acted upon to mitigate or eliminate the threat before the threat occurs and actual damage to property or injury to individuals is prevented or mitigated.

BRIEF DESCRIPTION OF THE FIGURE

FIG. 1 is a block diagram regarding the claimed invention.

FIG. 2. is a flow chart of the factorization process regarding the claimed invention.

FIG. 3 is a flow chart for obtaining a public/private key pair regarding the claimed invention.

FIG. 4 is a flow chart for decoding, decrypting, and scanning electromagnetic signal W regarding the claimed invention.

THE PROBLEM

Given a positive odd integer N₀, it is desired to determine a pair of integers r₀and s₀such that

N₀=r₀·s₀. (1)

The problem can also be stated as the search for two integers Y₀and X₀such that Y₀>X₀and

N₀=Y₀²−X₀². (2)

The pairs (r₀, s₀) and (Y₀, X₀) are related as follows:

$\begin{matrix} {\begin{matrix} Y_{0} = \frac{r_{0} + s_{0}}{2} \\ X_{0} = \frac{r_{0} - s_{0}}{2} \end{matrix} . & (3) \end{matrix}$

Conversely,

$\begin{matrix} {\begin{matrix} r_{0} = Y_{0} + X_{0} \\ s_{0} = Y_{0} - X_{0} \end{matrix} . & (4) \end{matrix}$

If r₀>s₀>0, both Y₀and X₀are positive. In this case it is useful to consider some limit cases in order to develop an appreciation for the magnitude of the variables.

One of the limit cases occurs when the pair (r₀, s₀) is a pair of “twin primes”, such as (43, 41). In these cases,

$\begin{matrix} {\begin{matrix} X_{0} = 1 \\ Y_{0} = \sqrt{N_{0} + 1} \end{matrix} . & (5) \end{matrix}$

At the other end is the case when r₀approximates N₀. At the limit, consider a pair (r₀, s₀) equaling (N₀, 1). Then

$\begin{matrix} {\begin{matrix} X_{0} = \frac{N_{0} - 1}{2} \\ Y_{0} = \frac{N_{0} + 1}{2} \end{matrix} . & (6) \end{matrix}$

Therefore, in all cases

$\begin{matrix} {\begin{matrix} X_{0}^{2} < Y_{0}^{2} \\ 1 \leq X_{0}^{2} < {(\frac{N_{0} - 1}{2})}^{2} \\ N_{0} + 1 \leq Y_{0}^{2} < {(\frac{N_{0} + 1}{2})}^{2} \end{matrix} & (7) \end{matrix}$

Thus, in all cases, Y₀²>N₀. In some cases, X₀²is greater than N₀.

A Restatement

Given N₀and an odd prime p, the general solution of (1) has the following form:

$\begin{matrix} {\begin{matrix} r_{0} = α + λ_{0} \cdot p \\ s_{0} = β + μ_{0} \cdot p \end{matrix} . & (8) \end{matrix}$

where α, β, λ₀, and μ₀denote integers and where α·β≡N₀(mod p). If α and β are both even or both odd, λ₀and μ₀have the same parity. Otherwise, define β′=β+p and μ′₀=μ₀−1. Thus, without loss of generality, it is possible to define two integers U₀and V₀as follows:

$\begin{matrix} {\begin{matrix} U_{0} = \frac{λ_{0} - μ_{0}}{2} \\ V_{0} = \frac{λ_{0} + μ_{0}}{2} \end{matrix} . & (9) \end{matrix}$

Then

$\begin{matrix} {\begin{matrix} r_{0} = α + U_{0} \cdot p + V_{0} \cdot p \\ s_{0} = β - U_{0} \cdot p + V_{0} \cdot p \end{matrix} . & (10) \end{matrix}$

The integers V₀and U₀are usually referred to as the symmetric and antisyrnmetric components of the pair (r₀, s₀), respectively. In general, in the search for (U₀, V₀), all values of α in the interval 1≤α<p may need to be tested.

The complexity of the problem is reduced in the cases when

$\begin{matrix} {\begin{matrix} α \equiv β (\mod p) \\ α \cdot β \equiv N_{0} (\mod p^{2}) . \end{matrix} & (11) \end{matrix}$

In such cases V₀≡0 (mod p).

In order to realize this situation, it is possible to restate the problem of factoring N₀into the problem of factoring some integer N which satisfies (11). To this end, select a prime p, and let n₀be the unique integer with pⁿ⁰⁻¹<N₀<pⁿ⁰. Select a candidate value of α, say {tilde over (α)}. Then define τ by the following:

N₀≡τ·{tilde over (α)}²(mod p²). (12)

Let {tilde over (τ)} denote the least positive residue of (12). Then β≡{tilde over (τ)}·{tilde over (α)} (mod p). If {tilde over (τ)} is odd, define the integer N by the following

N={tilde over (τ)}·N₀ (13)

where, for some integer n, pⁿ⁻¹<N<pⁿ. Then N is a quadratic residue modulo p and

N≡{tilde over (τ)}²·{tilde over (α)}²(mod p). (14)

Note that now there is a factorization N=r·s, with r≡s (mod p), namely r={tilde over (τ)}r₀and s=s₀. There exist unique integers U and V such that

$\begin{matrix} {\begin{matrix} r = \tilde{τ} \cdot \tilde{α} + U \cdot p + V \cdot p^{2} \\ s = \tilde{τ} \cdot \tilde{α} - U \cdot p + V \cdot p^{2}, \end{matrix} & (15) \end{matrix}$

where

$\begin{matrix} {\begin{matrix} r = \tilde{τ} \cdot r_{0} \\ s = s_{0} \end{matrix} & (16) \end{matrix}$

Notice that, if U>0, r>s.

In the case of (15), it will be

$\begin{matrix} {\begin{matrix} Y = \tilde{τ} \cdot \tilde{α} + V \cdot p^{2} \\ X = U \cdot p . \end{matrix} & (17) \end{matrix}$

Also, since {tilde over (τ)} is odd,

$\begin{matrix} {\begin{matrix} Y = \frac{\tilde{τ} \cdot r_{0} + s_{0}}{2} \\ X = \frac{\tilde{τ} \cdot r_{0} - s_{0}}{2} \end{matrix} . & (18) \end{matrix}$

The factorization problem requires the identification of a pair (Ũ, {tilde over (V)}) such that, for the corresponding ({tilde over (r)}, {tilde over (s)}), it is

N={tilde over (r)}·{tilde over (s)}. (19)

In general, all the values of α should be tested.

Consider the expression of Y when Ã is used in lieu of {tilde over (τ)}·{tilde over (α)}:

$\begin{matrix} \begin{matrix} Y = \tilde{τ} \cdot \tilde{α} + V \cdot p^{2} \\ = \tilde{A} + V_{1} \cdot p^{2} \end{matrix} & (20) \end{matrix}$

for some integer V₁. Recall that, by (7),

√{square root over (N)}<Y<N. (21)

There are two significant particular cases: if Ã<√{square root over (N)}, then V₁>0. Also, if Ã>N, then V₁<0. Throughout this presentation, Ã will be greater than N. For simplicity of notation, the integer V will be constrained to be positive. Then (15) takes the following form:

$\begin{matrix} {\begin{matrix} \tilde{A} > N \\ r = \tilde{A} + U \cdot p - V \cdot p^{2} \\ s = \tilde{A} - U \cdot p - V \cdot p^{2} \end{matrix} . & (22) \end{matrix}$

A particular definition of N can be produced when τ is computed modulo pⁿ⁰. In this presentation, without loss of generality, it will be assumed that {tilde over (τ)} is a positive odd integer, and so N={tilde over (τ)}N₀is an odd quadratic residue modulo p.

A Note on the Representation of N

Given pⁿ⁻¹<N<pⁿ, where N is a quadratic residue modulo p, let

$\begin{matrix} N = \sum_{i = 0}^{n - 1} v_{i} \cdot p^{i}, & (23) \end{matrix}$

where {v_i} denote integers, and 0≤v_i<p.

It is desired to compute a solution of the following:

N≡A²(mod pⁿ) (24)

where

$\begin{matrix} A \equiv \sum_{i = 0}^{n - 1} a_{i} \cdot p^{i} (\mod p^{n}), & (25) \end{matrix}$

and where

0≤α_i<p. (26)

Subject to (26), the solution of (24) is provided by the following:

$\begin{matrix} {\begin{matrix} v_{0} \equiv a_{0}^{2} (\mod p) \\ v_{1} \equiv 2 \cdot a_{0} \cdot a_{1} + \frac{a_{0}^{2} - v_{0}}{p} (\mod p) \\ v_{2} \equiv 2 \cdot a_{0} \cdot a_{1} + a_{1}^{2} + \frac{{RH}_{1} - {LH}_{1}}{p} (\mod p) \\ \dots \\ v_{i} \equiv \sum_{k = 0}^{i} a_{k} \cdot a_{i - k} + \frac{{RH}_{t - 1} - {LH}_{t - 1}}{p} (\mod p) \\ \dots \\ v_{n - 1} \equiv \sum_{k = 0}^{n - 1} a_{k} \cdot a_{n - k} + \frac{{RH}_{n - 2} - {LH}_{n - 2}}{p} (\mod p) \end{matrix}, & (27) \end{matrix}$

where RH_iand LH_idenote the RHS and LHS, respectively, of the congruence containing v_i.

The terms (RH_i−LH_i)/p are usually referred to as carries. They are caused by the constraint (26) and flow from the less significant digits to the more significant ones. As an example, consider the problem of solving

N≡A²(mod p⁵), (28)

where N is a quadratic residue modulo p. Assume p=13 and

$\begin{matrix} \begin{matrix} N = \sum_{i = 0}^{4} v_{i} \cdot p^{i} \\ = 10 + 2 \cdot p + 10 \cdot p^{2} + 5 \cdot p^{3} + 0 \cdot p^{4} \\ = 12711. \end{matrix} & (29) \end{matrix}$

If 0≤α_i<p, a solution of (28), say Ã, can be represented as follows:

Ã=6+0·p+3·p²+10·p³+5·p⁴. (30)

A second solution of (28) occurs when {tilde over (α)}₀=6 is replaced by α₀=p−{tilde over (α)}₀=7. In this case

Ā=7+12·p+9·p²+2·p³+7·p⁴. (31)

Consider removing the magnitude constraints (26) from all α_iand representing A as

A≡ω₀+ω₁·p+ω₂·p²+ω₃·p³+ω₄·p⁴(mod p⁵), (32)

where the coefficients of any power of p are positive integers and are constrained by the following conditions:

0≤ω_i<pⁿ⁻ⁱ. (33)

Then the congruence (28) can be satisfied if the sum of the coefficients of any power of p, say pⁱ, is congruent to zero modulo p⁵⁻ⁱ. Specifically, in the example, it must be

$\begin{matrix} {\begin{matrix} v_{0} \equiv ω_{0}^{2} (\mod p^{5}) \\ v_{1} \cdot p \equiv 2 \cdot ω_{0} \cdot ω_{1} \cdot p (\mod p^{5}) \\ v_{2} \cdot p^{2} \equiv ω_{1}^{2} \cdot P^{2} + 2 \cdot ω_{0} \cdot ω_{2} \cdot p^{2} (\mod p^{5}) \\ v_{3} \cdot p^{3} \equiv 2 \cdot ω_{1} \cdot ω_{2} \cdot p^{3} + 2 \cdot ω_{0} \cdot ω_{3} \cdot p^{3} (\mod p^{5}) \\ v_{4} \cdot p^{4} \equiv ω_{2}^{2} \cdot p^{4} + 2 \cdot ω_{1} \cdot ω_{3} \cdot p^{4} + 2 \cdot ω_{0} \cdot ω_{4} (\mod p^{5}) \end{matrix} & (34) \end{matrix}$

In the example, consider the condition

10≡ω₀²(mod p⁵) (35)

For ω₀≡6 (mod p) , the least positive solution, say {tilde over (ω)}₀, is {tilde over (ω)}₀=181200. For {tilde over (ω)}₀≡p−6≡7 (mod p), it is ω₀=190043. To satisfy the second of (34) when {tilde over (ω)}₀=181200, it must be

2·p≡2·{tilde over (ω)}₀·ω₁·p (mod p⁵). (36)

The least positive solution, say {tilde over (ω)}₁, is {tilde over (ω)}₁=18120.

Thereafter, from the third of (34), let

10·p²≡({tilde over (ω)}₁²+2·{tilde over (ω)}₀·{tilde over (ω)}₂)·p²(mod p⁵), (37)

whence {tilde over (ω)}₂=1814. Likewise, from the fourth of (34), let

5·p³≡2·{tilde over (ω)}₁·{tilde over (ω)}₂·p³+2·ω₀·ω₃·p³(mod p⁵), (38)

whence {tilde over (ω)}₃=97. Finally, from the fifth of (34), let

0·p⁴≡ω₂²·p⁴+2ω₁·ω₃p⁴+2ω₀·p⁴(mod p⁵), (39)

whence {tilde over (ω)}₄=12. Then

N≡(181200+18120·p+1814·p²+97·p³+12·p⁴)²(mod p⁵) (40)

Proceeding in a similar fashion with ω₀=190093, it is

N≡(190093+10441·p+383·p²+72·p³+1·p⁴)²(mod p⁵) (41)

Comparison of the resulting {tilde over (ω)}_iwith the corresponding ω_iyields

$\begin{matrix} {\begin{matrix} ω_{i} + {\overline{ω}}_{i} = p^{5 - i} \\ 0 < ω_{i} < p^{5 - i} \end{matrix} & (42) \end{matrix}$

or

(ω_i+ω_i)·pⁱ=p⁵. (43)

Thus, in the example,

$\begin{matrix} \begin{matrix} 181200 + 190093 & = p^{5} \\ 18120 + 10441 & = p^{4} \\ 1814 + 383 & = p^{3} \\ 97 + 72 & = p^{2} \\ 12 + 1 & = p \end{matrix} & (44) \end{matrix}$

and

Ã+Ā=5·p⁵. (45)

Notice that, when Ã and Ā are subject to the constraint (26), as in (40) and (31), their sum equals 5p⁵.

Comparing the representations of Ã of (40) and (30), it can be stated that the representation proposed by (40) entails an equipartition of weight among the 5 degrees of freedom of (32).

Remark 1. In the example, each coefficient {tilde over (ω)}_iof Ã is computed modulo p⁵⁻ⁱ. If the magnitude constraint (26) were to be applied to the coefficients on the RHS of (40) and (41), the coefficients ω_iwould be reduced modulo p and the structure (34) would be demolished.

In practice, the integer N, as represented on the RHS of (40) and (41), should be treated as a polynomial in some integer variable u, say P(u), where P(u) happens to be computed at u=p.

Remark 2. In (32) the representation of the coefficients ω_ii is arbitrary. In (40) and (41) such coefficients are represented in base 10. They may be represented in any other base, such as p.

Remark 3. It should be noted that in (28) p⁴<N<p⁵and in (32) A is being defined modulo p⁵. In general, such may not be the case. It is possible that A be defined modulo a larger power of p, depending on the requirements of the problem on hand. A similar situation occurs in the domain of irrational numbers, such as √{square root over (2)}. √{square root over (2)} may be computed with a large number of decimal digits, depending on the precision required by the problem on hand. No harm is done if the precision of the computed value of √{square root over (2)} is greater than needed.

As an example, consider the case when p=13 and N_1<p². Assume that N₁=v₀+v₁·p=10+2·p. It is desired to solve

N₁≡A²(mod p⁵). (46)

In this case the integers ω_iare defined by the following:

$\begin{matrix} {\begin{matrix} v_{0} \equiv ω_{0}^{2} & (\mod p^{s}) \\ v_{1} \cdot p \equiv 2 \cdot ω_{0} \cdot ω_{1} \cdot P & (\mod p^{5}) \\ 0 \equiv ω_{1}^{2} \cdot p^{2} + 2 \cdot ω_{0} \cdot ω_{z} \cdot p^{2} & (\mod p^{5}) \\ 0 \equiv 2 \cdot ω_{1} \cdot ω_{2} \cdot p^{3} + 2 \cdot ω_{0} \cdot ω_{3} \cdot p^{3} & (\mod p^{5}) \\ 0 \equiv 2 \cdot ω_{1} \cdot ω_{3} \cdot p^{4} + 2 \cdot ω_{0} \cdot ω_{4} \cdot p^{4} + ω_{2}^{2} \cdot p^{4} & (\mod p^{5}) \end{matrix} & (47) \end{matrix}$

For ω₀=6 (mod p), the result is

$\begin{matrix} \begin{matrix} N_{1} = 10 + 2 \cdot p \\ \equiv {(1 8 1 2 0 0 + 18120 \cdot p + 1291 \cdot p^{2} + 23 \cdot p^{3} + 2 \cdot p^{4})}^{2} (\mod p^{5}) . \end{matrix} & (48) \end{matrix}$

Compare with (40).

Remark 4. As a further application of this method of representation of integers, consider the problem of computing Ã⁻¹(mod p⁵) when Ã is defined as in (32). Let

Ā⁻¹≡w₀+w₁·p+w₂·p²+w₃·p³+w₄·p⁴(mod p⁵) (49)

and

Ã·Ã⁻¹≡1 (mod p⁵) (50)

The coefficients w_ishould be defined as the least positive solutions of the following:

$\begin{matrix} {\begin{matrix} {\tilde{ω}}_{0} \cdot w_{0} & \equiv 1 (\mod p^{5}) \\ {\tilde{ω}}_{0} \cdot w_{1} + {\tilde{ω}}_{1} \cdot {\tilde{w}}_{0} & \equiv 1 (\mod p^{4}) \\ {\tilde{ω}}_{0} \cdot w_{2} + {\tilde{ω}}_{1} \cdot {\tilde{w}}_{1} + {\tilde{ω}}_{2} \cdot {\tilde{w}}_{0} & \equiv 0 (\mod p^{3}) \\ {\tilde{ω}}_{0} \cdot w_{3} + {\tilde{ω}}_{1} \cdot {\tilde{w}}_{2} + {\tilde{ω}}_{2} \cdot {\tilde{w}}_{1} + {\tilde{ω}}_{3} \cdot {\tilde{w}}_{0} & \equiv 0 (\mod p^{2}) \\ {\tilde{ω}}_{0} \cdot w_{4} + {\tilde{ω}}_{1} \cdot {\tilde{w}}_{3} + {\tilde{ω}}_{2} \cdot {\tilde{w}}_{2} + {\tilde{ω}}_{3} \cdot {\tilde{w}}_{1} + {\tilde{ω}}_{4} \cdot {\tilde{w}}_{0} & \equiv 0 (\mod p) \end{matrix} & (51) \end{matrix}$

In the example, Ã⁻¹≡18120+26749·p+1590·p²+73·p³+9·p⁴(mod p⁵). The product Ã·Ã⁻¹also contains the following terms:

$\begin{matrix} {\begin{matrix} (ω_{1} \cdot w_{4} + ω_{2} \cdot w_{3} + ω_{3} \cdot w_{2} + ω_{4} \cdot w_{1}) \cdot p^{5} & = 3 47391 \cdot p^{5} \\ (ω_{2} \cdot {\tilde{w}}_{4} + {\tilde{ω}}_{3} \cdot {\tilde{w}}_{3} + {\tilde{ω}}_{4} \cdot {\tilde{w}}_{z}) \cdot p^{6} & = 15478 \cdot p^{6} \\ ({\tilde{ω}}_{3} \cdot {\tilde{w}}_{4} + {\tilde{ω}}_{4} \cdot {\tilde{w}}_{3}) \cdot p^{7} & = 353 \cdot p^{7} \\ {\tilde{ω}}_{4} \cdot {\tilde{w}}_{4} \cdot P^{8} & = 18 \cdot p^{8} . \end{matrix} & (52) \end{matrix}$

Supercongruences

This section summarizes the approach of U.S. Pat. No. 10,298,393 B1. This is generalized and improved upon via standard polynomials later.

Given p and N, select Ã as one of the solutions of (24) modulo pⁿ, computed using the procedure described in Section 7. Assume Ã>pⁿ.

Then, using (26), let

N=Ã²U²·p²−2·Ã·V·p²+V²·p⁴, (53)

where

$\begin{matrix} {\begin{matrix} \tilde{A} = \sum_{i = 0}^{n - 1} {\tilde{ω}}_{i} \cdot p^{i} \\ U = \sum_{i = 1}^{n - 1} u_{i} \cdot p^{i - 1} \\ V = \sum_{i = 1}^{n - 1} v_{i} \cdot p^{i - 2} \end{matrix} & (54) \end{matrix}$

Referring to (40), recall that each ω_ican be represented as

$\begin{matrix} ω_{i} = \sum_{k = 0}^{n - 1 - i} ω_{i, k} \cdot p^{k} . & (55) \end{matrix}$

Also,

$\begin{matrix} {\begin{matrix} u_{i} = \sum_{k = 1}^{n - 1 - i} u_{i, k} \cdot p^{k - 1} \\ v_{i} = \sum_{k = 1}^{n - 1 - i} v_{i, k} \cdot p^{k - 2} \end{matrix} & (56) \end{matrix}$

and

$\begin{matrix} {\begin{matrix} U_{i, j} & = \overset{j}{\sum_{k = 1}} u_{i, j} \cdot p^{k - 1} \\ V_{i, j} & = \sum_{k = 1}^{j} v_{i, k} \cdot p^{k - 2} \end{matrix} & (57) \end{matrix}$

Then

$\begin{matrix} {\begin{matrix} r \equiv \tilde{A} + u_{1} \cdot p + (- v_{2} + u_{2}) \cdot p^{2} + (- v_{3} + u_{3}) \cdot p^{3} + \dots + (- v_{n - 1} + u_{n - 1}) \cdot p^{n - 1} (\mod p^{n}) \\ s \equiv \tilde{A} - u_{1} \cdot p + (- v_{2} - u_{2}) \cdot p^{2} + (- v_{3} - u_{3}) \cdot p^{3} + \dots + (- v_{n - 1} - u_{n - 1}) \cdot p^{n - 1} (\mod p^{n}) \end{matrix} & (58) \end{matrix}$

The representation (58) of r and s accounts for the fact that both r and s are smaller than pⁿ. However, using (58), the product of r by s contains powers of p greater than pⁿ, actually as high as p^2·n−2.

In order to uncover the properties which relate the coefficients of (58), it is necessary to compute, and represent without loss of information, the multiples of any pⁱwhich results from the multiplication of r and s. To this end a new modulus is introduced, namely p^M, where M>n. The use of M does not affect the magnitude of N. If N<pⁿ, it can be represented as follows:

$\begin{matrix} {\begin{matrix} N = \sum_{i = 0}^{n - 1} v_{i} \cdot p^{i} \\ v_{i} = 0 for n - 1 < i \leq M - 1 \end{matrix} & (59) \end{matrix}$

When M is employed in lieu of n, Ã should be computed as a solution of the following:

N≡A²(mod p^M). (60)

The Approach

In the case where (59) is employed, reduction of (58) modulo p³yields

$\begin{matrix} \frac{N - Ã^{2}}{p^{M}} \cdot p^{M} \equiv (- u_{1}^{2} - 2 \cdot Ã \cdot v_{2}) \cdot p^{2} (\mod p^{3}) . & (61) \end{matrix}$

Then, if the pair (ũ₁, {tilde over (v)}₂) is a solution of (61) modulo p, it is

$\begin{matrix} \frac{N - Ã^{2}}{p^{M}} \cdot p^{M} + (\frac{{\tilde{u}}_{1}^{2} + 2 \cdot \tilde{A} \cdot {\tilde{v}}_{2}}{p} \cdot p) \cdot p^{2} \equiv (- 2 \cdot {\tilde{u}}_{1} \cdot u_{2} - 2 \cdot \tilde{A} \cdot v_{3}) \cdot p^{3} (\mod p^{4}) & (62) \end{matrix}$

The LHS of this congruence contains a contribution to the set of multiples of p³. This contribution is usually denoted as a “carry”. The flow of carries from one digit to the higher powers of p increases the complexity of the factorization problem. The flow of carries would be controlled better if (61) were solved modulo p^Mand the pair (u₁², v₂) were defined modulo p^M−2. In this case (62) could take the following form:

$\begin{matrix} \frac{N - {\tilde{A}}^{2}}{p^{M}} \cdot p^{M} + (\frac{{\tilde{u}}_{1}^{2} + 2 \cdot \tilde{A} \cdot {\tilde{v}}_{2}}{p^{M - 2}} \cdot p^{M - 2}) \cdot p^{2} \equiv (- 2 \cdot {\tilde{u}}_{1} \cdot u_{2} - 2 \cdot \tilde{A} \cdot v_{3}) \cdot p^{3} (\mod p^{4}) & (63) \end{matrix}$

This approach would require replacing the magnitude constraints (25) from the elements of {u_i} and {v_i} and assuring that the RHS of congruences such as (63) include all the terms which are multiples of any given pⁱ. Following this procedure, still there would be carries, as shown on the LHS of (63). However, such carries would flow from any given congruence directly into a pool of multiples of p^M.

In this approach, quantities such as Ã²−N are treated as polynomials in p, where the coefficients are integers unconstrained by (26) but instead subject to a different constraint such as (33).

Consider the representation of the pair (r, s) as in (58), where Ã is constructed as described above, and M is used in lieu of n. Thus, when r is multiplied by s, it is possible to group all the terms which contain any multiple of any given power of p, say pⁱ, and place the condition that the sum of their coefficients be congruent to zero modulo p^M−i.

However, resolving the integer Ã²−N into its components, the sum of the coefficients of pⁱin (Ã²−N) equals

$\begin{matrix} \begin{matrix} \sum_{k = 0}^{i} {\tilde{ω}}_{k} \cdot {\tilde{ω}}_{i - k} - v_{i} \equiv  0 (\mod p^{M - i}) \\ = {\tilde{η}}_{i} \cdot p^{M - i} . \end{matrix} & (64) \end{matrix}$

(n_ian integer).

As a result, consider the case when it is desired to express v₆as a function of all the u_l(1≤l≤5) and the v_j(2≤j≤5). It will be

−(2·{tilde over (ω)}₀·v₆+2·{tilde over (ω)}₁·v₅+2·{tilde over (ω)}₂·v₄+2·{tilde over (ω)}₃·v₃+2·{tilde over (ω)}₄·v₂)+2·v₂·v₄+v₃²≡2·u₁·u₅+2·u₂·u₄+u₃²(mod p^M−6). (65)

This congruence defines v₆modulo p^M−6as a function of lesser degree variables. If u₁≢0 (mod p) and if all variables of lesser degree are known, (65) defines a linear congruence between v₆and u₅modulo p^M−6. After determination of v₆, upon multiplication by p⁶, it will be

$\begin{matrix} (\frac{L H_{6} - R H_{6}}{p^{M - 6}} \cdot p^{M - 6}) \cdot p^{6} \equiv 0 (\mod p^{M}), & (66) \end{matrix}$

where LH₆and RH₆denote the LHS and RHS of (65), respectively. The LHS of this latter congruence is a multiple of p^Mand does not contain any power of p greater than p^M. In general, for 2≤i≤M−1,

$\begin{matrix} {\begin{matrix} u_{1} ≢ 0 (\mod p) \\ 2 \leq i \leq M - 1 \\ - 2 \cdot \sum_{k = 2}^{i} {\tilde{ω}}_{i - k} \cdot v_{κ} + \sum_{κ = 2}^{i - 2} v_{k} \cdot v_{i - k} \equiv \sum_{/ 𝔠 = 1}^{i - 1} u_{k} \cdot u_{i - k} (\mod p^{M - i}) . \end{matrix} & (67) \end{matrix}$

The first summation on the LHS of (67) contains terms which result from the multiplication of −2·Ã by (Ã−Y), when Ã is represented as described in Section 7. The second summation on the LHS results from (Ã−Y)².

In general, assume that u_M−j=0 for 1≤j≤j₀. Therefore, at this point, j₀is an undetermined integer. The pair (r, s) is dependent on the set {u_i} and on the first elements of {v_i}, for 2≤i≤j₀+1. The general expression of (r, s) is

$\begin{matrix} {\begin{matrix} r = {\tilde{ω}}_{0} + {\tilde{ω}}_{1} \cdot p + {\tilde{u}}_{1} \cdot p + \sum_{i = 2}^{j_{0}} \tilde{ζ} \cdot p^{i} + ζ_{j_{0} + 1} \cdot p^{j_{0} + 1} + 2 \cdot \sum_{i = 2}^{j_{0}} {\tilde{u}}_{i} \cdot p^{i} \cdot 2 \sum_{i = j_{0} + 1}^{M - j_{0} - 1} u_{i} \cdot p^{i} \\ s = {\tilde{ω}}_{0} + {\tilde{ω}}_{1} \cdot p - {\tilde{u}}_{1} \cdot p + \sum_{i = 2}^{j_{0}} {\tilde{ζ}}_{i} \cdot p^{\dot{t}} + ζ_{j_{0} + 1} \cdot p^{j_{0} + 1} \end{matrix} & (68) \end{matrix}$

where

ζ_k={tilde over (ω)}_k−v_k−u_k. (69)

Supercongruence for u₁and u₂

To determine the first two coefficients of U, impose the condition that u_M−1=0 and

ω_i−u_i−v_i≡0 (mod p^M−i)

for all i>2, also put ζ₂=ω₂−u₂−v₂. Then

Consider the case when it has been assumed that u_M−1=0. It is desired to determine a pair of divisors (r, s) when u_M−2≠0, if such a pair exists. In this case (68) can be written as follows:

$\begin{matrix} {\begin{matrix} u_{M - 1} = & 0 \\ r = & {\tilde{A}}_{2} + u_{1} \cdot p + (- v_{2} + u_{2}) \cdot p^{2} \\ s = & \tilde{A_{2}} - u_{1} \cdot p + (- v_{2} + u_{2}) \cdot p^{2} - 2 \cdot \sum_{i = 3}^{M - 2} u_{i} \cdot p^{i} \end{matrix} & (70) \end{matrix}$

where

Ã₂={tilde over (ω)}₀+{tilde over (ω)}₁·p+{tilde over (ω)}₂·p² (71)

and

$\begin{matrix} {\begin{matrix} u_{M - 1} = 0 \\ r = {\tilde{A}}_{1} + u_{1} \cdot p + ζ_{2} \cdot p^{2} + 2 \cdot \sum_{i = 2}^{M - 2} u_{i} \cdot p^{i} \\ s = {\tilde{A}}_{1} - u_{1} \cdot p + ζ_{2} \cdot p^{2} \end{matrix} & (72) \end{matrix}$

where

Ã₁={tilde over (ω)}₀+{tilde over (ω)}₁·p (73)

and where ζ₂is defined as in (69):

$\begin{matrix} {\begin{matrix} u_{M - 1} = 0 \\ u_{M - 2} \neq 0 \\ ζ_{2} = ω_{2} - v_{2} - u_{2} . \end{matrix} & (74) \end{matrix}$

Compare with (68) and (69).

Using (72), multiply r by s modulo p^M. Setting the sum of the coefficients of any given power of p congruent to zero (mod p^M−i) yields

Let RH_iand LH_idenote the RHS and the LHS, respectively, of that congruence in (75) which is defined modulo p^M−i. Then, it must be

RH_i−LH_i≡0 (mod p^M−i) (76)

Define

$\begin{matrix} C_{i} = \frac{{RH}_{i} - {LH}_{i}}{p^{M - i}} & (77) \end{matrix}$

There is one condition which is not contained in (75): that is the condition that the sum of all multiples of p^Min the system be equal to zero:

$\begin{matrix} 0 = \sum_{i = 0}^{M - 1} C_{i} . & (78) \end{matrix}$

Refer to (72).

In this equation the integer u_M−2is defined modulo p²by the second last congruence of (75). Also in the computation of C_M−1, the integers u_M−2and u_M−3equal the corresponding values in the second last congruence of (75). The set of congruences (75) shall be referred as a supercongruence.

Supercongruence for u₃

Consider the case when, given M, the system (75) has produced a set of viable pairs (u₁, u₂). In general, the majority of such pairs do not satisfy the conditions on the carries and cannot be considered as viable candidates.

Given a selection of u₁, upon multiplication of r by s, the following relationships are applicable:

$\begin{matrix} u_{M - 1} = 0 \\ v_{0} \equiv ω_{0}^{2} (\mod p^{M}) \\ v_{1} \equiv 2 \cdot ω_{0} \cdot ω_{1} (\mod p^{M - 1}) \\ v_{2} \equiv 2 \cdot ω_{0} \cdot ω_{2} + ω_{1}^{2} - u_{1}^{2} - 2 \cdot ω_{0} \cdot v_{2} (\mod p^{M - 2}) \\ \equiv ω_{1}^{2} - u_{1}^{2} + 2 \cdot ω_{0} \cdot ζ_{2} + 2 \cdot ω_{0} \cdot u_{2} (\mod p^{M - 2}) . \end{matrix}$

Given u₁, this congruence produces v₂modulo p^M−2. The last congruence makes use of the definition

ζ₂≡{tilde over (ω)}₂−v₂−u₂(mod p^M−2).

Given a selection of u₂,

$\begin{matrix} v_{3} \equiv 2 \cdot ω_{0} \cdot ω_{3} + 2 \cdot ω_{1} \cdot ω_{2} - 2 \cdot u_{1} \cdot u_{2} - 2 \cdot ω_{1} \cdot v_{2} - 2 \cdot ω_{0} \cdot v_{3} (\mod p^{M - 3}) \\ \equiv 2 \cdot {\tilde{ω}}_{0} \cdot u_{3} + 2 \cdot ({\tilde{ω}}_{1} - u_{1}) \cdot u_{2} + 2 \cdot {\tilde{ω}}_{1} \cdot ζ_{2} + 2 \cdot {\tilde{ω}}_{0} \cdot ζ_{3} (\mod p^{M - 3}) \end{matrix}$

Given u₂, this congruence produces v₃modulo p^M−3. The last congruence makes use of the definition

ζ₃≡{tilde over (ω)}₃−v₃−u₃(mod p^M−3).

Given a selection of the auxiliary variable u₃, let

v₄≡2·ω₀·ω₄+2·ω₁·ω₃+ω₂²−2·u₁·u₃−u₂²−2·ω₂·v₂−2·ω₁·v₃+v₂²−2·ω₀·v₄(mod p^M−4)

Given u₃, this congruence produces v₄modulo p^M−4.

Multiplication of r by s produces

v₅≡2·ω₀·u₅+2·(ω₁−u₁)·u₄+2·ζ₂·u₃+2·ζ₃·u₂+2·ζ₂·ζ₃(mod p^M−5)
v₆≡2·ω₀·u₆+2·(ω₁−u₁)·u₅+2·ζ₂·u₄+2·ζ₃·u₃+ζ₃²(mod p^M−6)

For i>6, it will be

v₇≡2·ω₀·u₇+2·(ω₁−u₁)·u₆+2·ζ₂·u₅+2·ζ₃·u₄(mod p^M−7)
v_i≡2·ω₀·u_i+2·(ω₁−u₁)·u_i−1+2·ζ₂·u_i−2+2·ζ₃·u_i−3(mod p^M−i)

with, finally:

v_M−3≡2·ω₀·u_M−3+2·(ω₁−u₁)·u_M−4+2·ζ₂·u_M−5+2·ζ₃·u_M−6(mod p³)
v_M−2≡2·(ω₁−u₁)·u_M−3+2·ζ₂·u_M−4+2·ζ₃·u_M−5(mod p²)
v_M−1≡2·ζ₂·u_M−3+2·ζ₃·u_M−4(mod p)

IN SUMMARY, given (u_i, u₂) and the selection of u₃, IF the pair (r, s) is represented as follows:

$\begin{matrix} {\begin{matrix} u_{M - 1} = 0 \\ u_{M - 2} = 0 \\ r = {\tilde{A}}_{1} + {\tilde{u}}_{1} \cdot p + {\tilde{ζ}}_{2} \cdot p^{2} + ζ_{3} \cdot p^{3} + 2 \cdot {\tilde{u}}_{2} \cdot p^{2} + 2 \cdot \sum_{i = 2}^{M - 4} u_{i} \cdot p^{i} \\ s = {\tilde{A}}_{1} + {\tilde{u}}_{1} \cdot p + {\tilde{ζ}}_{2} \cdot p^{2} + ζ_{3} \cdot p^{3} (\mod p), \end{matrix} & (79) \end{matrix}$

multiplication of r by s modulo p^Myields:

$\begin{matrix} {\begin{matrix} u_{M - 2} = 0 \\ u_{M - 1} = 0 \\ v_{0} \equiv {\tilde{ω}}_{0}^{2} (\mod p^{M}) \\ v_{1} \equiv 2 \cdot {\tilde{ω}}_{0} \cdot {\tilde{ω}}_{1} (\mod p^{M - 1}) \\ v_{2} \equiv {\tilde{ω}}_{1}^{2} - u_{1}^{2} + 2 \cdot {\tilde{ω}}_{0} \cdot ζ_{2} + 2 \cdot {\tilde{ω}}_{0} \cdot u_{2} (\mod p^{M - 2}) \\ v_{3} \equiv 2 \cdot {\tilde{ω}}_{0} \cdot u_{3} + 2 \cdot ({\tilde{ω}}_{1} - u_{1}) \cdot u_{2} + 2 \cdot {\dot{\tilde{ω}}}_{1} \cdot ζ_{2} + 2 \cdot {\tilde{ω}}_{0} \cdot ζ_{3} (\mod p^{M - 3}) \\ v_{4} \equiv 2 \cdot ω_{0} \cdot u_{4} + 2 \cdot (ω_{1} - u_{1}) \cdot u_{3} + 2 \cdot ζ_{2} \cdot u_{2} + 2 \cdot {\tilde{ω}}_{1} ζ_{3} + ζ_{2}^{2} (\mod p^{M - 4}) \\ v_{5} \equiv 2 \cdot ω_{0} \cdot u_{5} + 2 \cdot (ω_{1} - u_{1}) \cdot u_{4} + 2 \cdot ζ_{2} \cdot u_{3} + 2 \cdot ζ_{3} \cdot u_{2} + 2 \cdot ζ_{2} \cdot ζ_{3} (\mod p^{M - 5}) \\ v_{6} \equiv 2 \cdot ω_{0} \cdot u_{6} + 2 \cdot (ω_{1} - u_{1}) \cdot u_{5} + 2 \cdot ζ_{2} \cdot u_{4} + 2 \cdot ζ_{3} \cdot u_{3} + ζ_{3}^{2} (\mod p^{M - 6}) \\ for i > 6 \\ v_{i} \equiv 2 \cdot ω_{0} \cdot u_{i} + 2 \cdot (ω_{1} - u_{1}) \cdot u_{i - 1} + 2 \cdot ζ_{2} \cdot u_{i - 2} + 2 \cdot ζ_{3} \cdot u_{i - 3} (\mod p^{M - i}) \\ \dots \dots \dots \dots \dots \dots \dots \dots \dots \dots \dots \dots \\ v_{M - 3} \equiv 2 \cdot ω_{0} \cdot u_{M - 3} + 2 \cdot (ω_{1} - u_{1}) \cdot u_{M - 4} + 2 \cdot ζ_{2} \cdot u_{M - 5} + 2 \cdot ζ_{3} \cdot u_{M - 6} (\mod p^{3}) \\ v_{M - 2} \equiv 2 \cdot (ω_{1} - u_{1}) \cdot u_{M - 3} + 2 \cdot ζ_{2} \cdot u_{M - 4} + 2 \cdot ζ_{3} \cdot u_{M - 5} (\mod p^{2}) \\ v_{M - 1} \equiv 2 \cdot ζ_{2} \cdot u_{M - 3} + 2 \cdot ζ_{3} \cdot u_{M - 4} \end{matrix} & (80) \end{matrix}$

For each initial selection of the pair (u₁, u₂), the system (80) may produce a quintuple (u₁, u₂, u₃, ζ₂, ζ₃) such that r·s≡N (mod p^M).

Supercongruence for u₄

After the determination of the roster of candidates quintuples (ũ₁, ũ₂, ũ₃, {tilde over (ζ)}₂, {tilde over (ζ)}₃), a similar procedure can be used to determine the roster {(u₄, ζ₄)}.

In this case, (68) yields:

$\begin{matrix} {\begin{matrix} v_{0} \equiv {\tilde{ω}}_{0}^{2} (\mod p^{M}) \\ v_{1} \equiv 2 \cdot {\tilde{ω}}_{0} \cdot {\tilde{ω}}_{1} (\mod p^{M - 1}) \\ v_{2} \equiv - {\tilde{u}}_{1}^{2} + {\tilde{ω}}_{1}^{2} + 2 \cdot {\tilde{ω}}_{0} \cdot ζ_{2} + 2 \cdot {\tilde{ω}}_{0} \cdot {\tilde{u}}_{2} (\mod p^{M - 2}) \\ v_{3} \equiv 2 \cdot {\tilde{ω}}_{0} \cdot u_{3} + 2 \cdot ({\tilde{ω}}_{1} - {\tilde{u}}_{1}) \cdot {\tilde{u}}_{2} + 2 \cdot {\tilde{ω}}_{1} \cdot {\hat{ζ}}_{2} + 2 \cdot {\tilde{ω}}_{0} \cdot {\tilde{ζ}}_{3} (\mod p^{M - 3}) \\ v_{4} \equiv 2 \cdot {\tilde{ω}}_{1} \cdot {\tilde{ζ}}_{3} + 2 \cdot ({\tilde{ω}}_{1} - {\tilde{u}}_{1}) \cdot {\tilde{u}}_{3} + 2 \cdot {\tilde{ω}}_{0} \cdot ({\tilde{ω}}_{4} - v_{4, 1}) + {\tilde{ζ}}_{2}^{2} + 2 \cdot {\tilde{u}}_{2} \cdot {\tilde{ζ}}_{2}^{2} (\mod p^{M - 4)} \\ v_{5} \equiv 2 \cdot ({\tilde{ω}}_{1} - {\tilde{u}}_{1}) \cdot u_{4} + 2 \cdot {\tilde{ω}}_{0} \cdot u_{5} + 2 \cdot {\tilde{ω}}_{1} \cdot {\tilde{ζ}}_{4} + \sum_{k = 2}^{3} {\tilde{ζ}}_{k} \cdot {\tilde{ζ}}_{5 - k} + 2 \cdot \sum_{k = 2}^{3} {\tilde{u}}_{5 - k} \cdot {\tilde{ζ}}_{k} (\mod p^{M - 5}) \\ For 6 \leq h \leq 8 \\ v_{h} \equiv 2 \cdot ({\tilde{ω}}_{1} - {\tilde{u}}_{1}) \cdot u_{h - 1} + 2 \cdot {\tilde{ω}}_{0} \cdot u_{h} + \sum_{k = h - 4}^{4} {\tilde{ζ}}_{k} \cdot {\tilde{ζ}}_{h - k} + 2 \cdot \sum_{k = 2}^{3} {\tilde{u}}_{h - k} \cdot {\tilde{ζ}}_{k} + 2 \cdot u_{h - 4} \cdot ζ_{4} (\mod p^{M - h}) \\ For 6 \leq h \leq M - 4 \\ v_{h} \equiv 2 \cdot ({\tilde{ω}}_{1} - {\tilde{u}}_{1}) \cdot u_{h - 1} + 2 \cdot {\tilde{ω}}_{0} \cdot u_{h} + 2 \cdot \sum_{k = 2}^{3} {\tilde{u}}_{h - k} \cdot {\tilde{ζ}}_{k} + 2 \cdot u_{h - 4} \cdot ζ_{4} (\mod p^{M - h)} \end{matrix} & (81) \end{matrix}$

To determine u₄(mod p), consider the raster of candidate triads (ũ₁, ũ₂, ũ₃) which were already produced. Substitute ũ₁, ũ₂, and ũ₃into (81) in lieu of u₁, u₂, and u₃, respectively, and search for an integer u₄modulo p which satisfies (81).

The General Supercongruence, Persistent Solutions

Consider the case when a candidate set (ũ₁, {tilde over (ζ)}₂, . . . , {tilde over (ζ)}_j₀, ζ_j₀|M) has been determined. It is desired to determine a candidate set (ũ₁, {tilde over (ζ)}₂, . . . , {tilde over (ζ)}_j₀, ζ_j₀₊₁|M), if such a set exists.

Notice that in (68) the unknown variables are ζ_j₀₊₁and the integers u_i, or j₀+1≤i≤M−j₀−1.

Proceeding as in (75) and (80), multiply r by s modulo p^Mand define the corresponding congruences modulo p^M−i. The congruences which are defined modulo p^M−2through p^M−j⁰are not affected by ζ_j₀₊₁·p^j⁰⁺¹).

The congruence modulo p^M−j⁰⁻¹does not contain u_j₀₊₁. After the computation of u_j₀_+1,1, the system of congruences allows one to determine the whole set {u_i}.

In general, multiplication of r by s modulo p^Musing (68) yields

$\begin{matrix} {\begin{matrix} v_{j_{0} + 1} \equiv 2 \cdot {\tilde{ω}}_{0} \cdot ζ_{j_{0} + 1} + 2 \cdot {\tilde{ω}}_{1} \cdot {\tilde{ζ}}_{j_{0}} + \sum_{k = 2}^{j_{0} - 1} {\tilde{ζ}}_{k} \cdot {\tilde{ζ}}_{j_{0} + 1 - k} + 2 \cdot {\tilde{ω}}_{0} \cdot {\tilde{u}}_{j_{0} + 1} + 2 \cdot ({\tilde{ω}}_{1} - {\tilde{u}}_{1}) \cdot {\tilde{u}}_{j_{0}} + 2 \cdot \sum_{k = 2}^{j_{0} - 1} {\tilde{u}}_{j_{0} + 1 - k} \cdot {\tilde{ζ}}_{k} (\mod p^{M - j_{0} - 1}) \\ v_{j_{0} + 2} \equiv 2 \cdot {\tilde{ω}}_{1} \cdot ζ_{j_{0} + 1} + \sum_{k = 2}^{j_{0} - 1} {\tilde{ζ}}_{j_{0} + 2 - k} \cdot {\tilde{ζ}}_{k} + 2 \cdot {\tilde{ω}}_{0} \cdot {\tilde{u}}_{j_{0} + 2} + 2 \cdot ({\tilde{ω}}_{1} - {\tilde{u}}_{1}) \cdot {\tilde{u}}_{j_{0} + 1} + 2 \cdot \sum_{k = 2}^{j_{0}} {\tilde{u}}_{j_{0} + 2 - k} \cdot {\tilde{ζ}}_{k} (\mod p^{M - j_{0} - 2}) \\ For 3 \leq δ \leq j_{0} + 2 \\ v_{j_{0} + δ} = \sum_{k = δ - 1}^{j_{0} + 1} {\tilde{ζ}}_{j_{0} + δ - k} \cdot {\tilde{ζ}}_{k} + 2 \cdot {\tilde{ω}}_{0} \cdot u_{j_{0} + δ} + 2 \cdot ({\tilde{ω}}_{1} - {\tilde{u}}_{1}) \cdot u_{j_{0} + δ - 1} + 2 \cdot \sum_{k = 2}^{j_{0} + 1} u_{j_{0} + δ - k} \cdot {\tilde{ζ}}_{k} (\mod p^{M - j_{0} - δ}) \\ For j_{0} + 4 \leq δ \leq n - 1 - j_{0} \\ v_{j_{0} + δ} \equiv 2 \cdot {\tilde{ω}}_{0} \cdot u_{j_{o} + δ} + 2 \cdot ({\tilde{ω}}_{1} - {\tilde{u}}_{1}) \cdot u_{j_{0} + δ - 1} + 2 \cdot \sum_{k = 2}^{j_{0} + 1} u_{j_{0} + δ - k} \cdot {\tilde{ζ}}_{k} (\mod p^{M - j_{0} - δ}) . \end{matrix} & (82) \end{matrix}$

Note that u_j₀_+δ=0 for n−2−j₀≤δ≤M−1−j₀.

A set of coefficients (ũ₁, ũ₂, . . . , ũ_M−1) and ({tilde over (v)}₂, {tilde over (v)}₃, . . . , {tilde over (v)}_M−1) is called a persistent solution if the first j₀+1 of the u_isatisfy the corresponding supercongruence (82).

Standard Polynomials

The supercongruences can be clarified with the use of polynomials. The approach here shall be slightly more general than that taken previously.

This section shall make use of vectors of non-negative integers k=[k₀, . . . , k_M−1]. If k and k′ are two such vectors, then write k≤k′ if k_i≤k′_ifor i=0, . . . , M−1. It is also occasionally convenient to regard k and k′ as zero-padded on the right, so that the comparison k≤k′ becomes meaningful even if k and k′ have different lengths.

A vector k=[k₀, . . . , k_M−1] is called monotone decreasing if k₀≥k₁≥ . . . ≥k_M−1.

Definition 1. Let p be prime, M be a positive integer, and k=[k₀, . . . , k_M−1] be a vector of non-negative integers. A polynomial f(x)=f₀+f₁x+f₂x²+ . . . +f_M−1x^M−1is called p^k-standard if

0≤f_i<p^kⁱ

for i=0,1, . . . ,M−1.

Definition 2. Let p, k be as in Definition 1. Let f(x)=f₀+f₁x+ . . . +f_nxⁿbe a polynomial with integer coefficients. The p^k-standard part of f(x) is the polynomial

SP_p_kf(x)=f₀+f₁x+ . . . +f_nxⁿ

where, for 0≤i<M,

f_i=f_imod p^kⁱ.

Note that if f is p^k-standard, then it is p^k′-standard for all k′≥k. When p and k are understood, SP_p_kmay be abbreviated as SP.

Definition 3. If f and g are integer polynomials, then

f≡g (SP_p_k)

shall mean that

SP_p_kf=SP_p_kg.

Digit expansions of positive integers:

Suppose the integer N is prepared as above, and N=v₀+v₁p+ . . . +v_n−1pⁿ⁻¹is the p-adic digit expansion of N. Then

v(x)=v₀+v₁x+ . . . +v_n−1xⁿ⁻¹

is p¹ⁿ-standard where 1_n=[1, 1, . . . , 1] (n times).

Theorem 1. Given a non-negative integer N, there exists a unique 1_n-standard polynomial v(x) such that v(p)=N.

The following recursive algorithm produces the coefficients of the polynomial v(x).

- If N=0, then v(x)=0.
- Otherwise, let N₁, a₀be the quotient and remainder of N on division by p, respectively. Then let v(x)=α₀+xv₁(x) where v₁(x) is the polynomial obtained from applying this algorithm to N₁.

This algorithm terminates after [1+log_pN] steps, and it is clear by induction that N=v(p). For uniqueness, if v and it are two standard polynomials such that v(p)=μ(p), say v(x)=a₀+xv₁(x) and μ(x)=b₀+xμ₁(x), then v(p)≡μ(p) (mod p) implies that a₀≡b₀(mod p) and therefore a₀=b₀since both are non-negative integers less than p. It then follows that v₁(p)=μ₁(p), which now implies uniqueness by induction on the degree.

Properties of the standard part

Proposition 1. f+g≡SP_p_kf+SP_p_kg (SP_p_k) and, if k is monotone decreasing, then f·g≡SP_p_kf·SP_p_kg (SP_p_k)

The following proposition motivates a choice of standard polynomials relevant to the supercongruences:

Proposition 2. Suppose that k=[M, M−1, . . . , 1]. If

f(x)≡g(x) (SP_p_k),

then

f(p)≡g(p) (mod p^M).

In particular, this implies that if standard polynomials A, U, V are chosen such that

v(x)≡(A(x)−U(x)−V(x))(A(x)+U(x)−V(x)) (SP_p_k),

then the difference

(A(p)−U(p)−V(p))(A(p)−U(p)+V(p))−v(p)

is a multiple of p^M, and represents the accumulated carry of the product, which for the purposes of factorization is desired to be zero. The advantage of this approach is that it allows the carry to be deferred to the final stage of the process.

Standard Polynomial Inversion

Theorem 2. Let p be prime and k a nonempty vector of positive exponents. Suppose that f(x) is a p^k-standard polynomial such that f(0)≢0 (mod p). Then there exists a unique p^k-standard polynomial g(x) such that f(x)g(x)≢1 (SP_p_k).

Proof The theorem shall be established by first giving its iterative solution. Since f(0)≢0 (mod p), there exists an integer γ₀such that γ₀f(0)≡1 (mod p). Let g₀(x)=γ₀and, for j=0,1, . . . , define

g_j+1(x)=SP((2−f(x)g_j(x))g_j(x)).

The iteration reaches a fixed point within ┌log₂max(k₀, k₁+1, . . . , k_M−1+M−1)┌ iterations. Indeed, define a norm on the set of integer polynomials via

|f|_p=inf{p^−r−s|r, sϵ custom character , f≡O(x^r) (mod p⁵)}.

Then, it shall be shown below that

|1−fg_j+1|_p≤|1−fg_j|_p². (83)

The constant term of 1−fg₀is zero mod p: i.e., |1−fg₀|<p⁻¹. Consequently it follows by repeated squaring that |1−fg_j|≤p⁻²^jfor all j. Thus as soon as 2^j>max(k₀, k₁+1, . . . , k_M−1+M−1), the standard part of 1−fg_jis zero and g_jis the standard polynomial inverse to f.

It remains to compute 1−fg_j+1:

$\begin{matrix} 1 - {fg}_{j + 1} = 1 - f (2 - {fg}_{j}) g_{j} \\ = (1 - {fg}_{j}) - (1 - {fg}_{j}) g_{j} \\ = {(1 - {fg}_{j})}^{2} \end{matrix}$

whence (83) by multiplicativity of the norm. □

Standard Polynomial Square Root

Theorem 3. Let p be an odd prime and k a nonempty vector of positive exponents. If v(x) is an integer polynomial such that v(0)≡α²(mod p), then there exists a unique standard polynomial A(x) such that:

A²(x)≡v(x) (SP_p_k),

and

A(0)≡α (mod p).

(This theorem implies in particular that, given {tilde over (ω)}₀, there is a unique sequence {tilde over (ω)}₁, {tilde over (ω)}₂, . . . , {tilde over (ω)}_M−1such that (64) holds.)

Proof. By assumption, v(0) is a quadratic residue. Let α²≡v(0) (mod p). Define A₀(x)=αand, for k=0,1, . . . , define

A_k+1(x)=2⁻¹(A_k(x)+v(x)A_k(x)⁻¹) (SP)

where at each stage of the iteration, the inverses are computed as in the previous section.

Consider the difference

$\begin{matrix} v - A_{j + 1}^{2} \equiv v - \frac{1}{4} A_{j}^{2} - \frac{1}{2} v - \frac{1}{4} v^{2} A_{j}^{- 2} \\ = \frac{1}{2} (v - A_{j}^{2}) + \frac{1}{4} (A_{j}^{2} - \frac{v^{2}}{A_{j}^{2}}) \\ = \frac{1}{2} (v - A_{j}^{2}) + \frac{1}{2} \frac{A_{j + 1}}{A_{j}} (A_{j} - \frac{v}{A_{j}}) \\ = \frac{1}{2} (v - A_{j}^{2}) (1 - \frac{A_{j + 1}}{A_{j}}) . \end{matrix}$

Next, note that

$1 - \frac{A_{j + 1}}{A_{j}} = \frac{1}{2} (\frac{v - A_{j}^{2}}{A_{j}}) .$

Substituting into the above gives

$v - A_{j + 1}^{2} = \frac{1}{4} {(v - A_{j}^{2})}^{2} A_{j}^{- 1}$

and therefore, by multiplicativity of the norm from the proof of Theorem 2,

|v−A_j+1²|_p≤|v−A_j²|_p².

Hence,

A_j²≡v (SP)

as soon as 2^j>max(k₀, k₁+1, . . . , k_M−1+M−1).□

Standard Polynomial Factorization

Let N be an integer prepared as in the previous section, and let v(x) be the polynomial obtained from the p-adic digit expansion of N Let A(x) be a standard polynomial such that

A²(x)≡v(x) (SP_p_k).

Definition 4. A standard polynomial factorization of v(x) is a pair of standard polynomials U(x), V(x) such that U(0)=V(0)=V′(0)=0 for which:

- the standard part of the polynomial
  
  (A(x)+U(x)−V(x))(A(x)−U(x)−V(x))
  
  is equal to v(x).

That is:

(A(x)+U(x)−V(x))(A(x)−U(x)−V(x))≡v(x) (SP_p_k). (84)

The condition U(0)=0 shall be abbreviated U(x)=O(x), and the pair of conditions V(0)=V′(0)=0 shall be abbreviated V(x)=O(x²). Note polynomial factorization in the usual sense will not work: v(x) is very unlikely to factor completely, even if N is guaranteed to have factors. For example, with N=15, p=11, v(x)=2+91x+6x²is irreducible, even though N=v(11)=15 has factors 3×5.

U(x) determines V(x) uniquely:

Theorem 4. Suppose A(x) is a standard polynomial such that A(x)²≡v(x) (SP_p_k). Let U(x) be a standard polynomial satisfying U(x)=O(x), Then there exists a unique standard polynomial V(x) satisfying V(x)=O(x²) such that (A(x)+U(x)−V(x))(A(x)−U(x)−V(x))≡v(x) (SP_p_k)

Proof. Rearranging

(A+U−V)(A−U−V)−v=0

as a quadratic equation in V gives:

V²−2AV+(A²−U²−v)=0.

Let Δ(x)=U²(x)+v(x) be the quarter discriminant of the quadratic. Since U(0)=0 and v(0) is a quadratic residue modulo p, Δ(0) is also a quadratic residue modulo p, having square root ω₀mod p. Therefore by Theorem 3, there exists a unique standard polynomial √{square root over (Δ)}(x) with the property that √{square root over (Δ)}(0)≡ω₀(mod p) and

√{square root over (Δ)}(x)²≡Δ(x) (SP)

Note that

√{square root over (Δ)}(x)=A(x)+O(x²)

Therefore

V(x)=A(x)−√{square root over (Δ)}(x) (SP_p_k)

satisfies V(x)=O(x²).

For uniqueness, notice that the other candidate solution to the quadratic is

A(x)+√{square root over (Δ)}(x)≡2A(x)+O(x²) (SP_p_k)

has nonzero lower order terms in x. □

Different Forms of Standard Polynomial Factorization
Definition 5. Given a Factorization

v(x)≡(A(x)+U(x)−V(x))(A(x)−U(x)−V(x)) (SP_p_k)

where U(0)=V(0)=V′(0)=0, define a polynomial ζ(x) by

ζ(x)=A₍₂₎(x)−U₍₂₎(x)−V(x),

where A₍₂₎(x) and U₍₂₎(x) are the quadratic Taylor remainders of A(x) and U(x):

A₍₂₎(x)=A(x)−A₁(x), U₍₂₎(x)=U(x)−U₁(x)

where A₁and U₁denote the linearizations of A an U, respectively:

A₁(x)=A(0)+A′(0)x=ω₀+ω₁x
U₁(x)=U′(0)x=u₁x.

Plugging the definition of ζ(x) into the standard factorization problem

(A(x)+U(x)−V(x))(A(x)−U(x)−V(x))≡v(x) (SP_p_k).

gives

(A₁(x)−U₁(x)+2U(x)+ζ(x))(A₁(x)−U₁(x)+ζ(x))≡v(x) (SP) (85)

That is,

r(x)s(x)≡v(x) (SP)

where

$\begin{matrix} {\begin{matrix} r (x) = A_{1} (x) - U_{1} (x) + 2 U (x) + ζ (x)) \\ s (x) = A_{1} (x) - U_{1} (x) + ζ (x) \end{matrix} & (86) \end{matrix}$

Persistent factorizations

Definition 6. A k-Standard Polynomial Factorization

v(x)≡r(x)s(x) (SP_p_k)

is called persistent if, for all k′≥k, there exist k′-standard polynomials r′(x) and s′(x) having the same degree as r(x) and s(x), respectively, such that

r′(x)≡r(x) (SP_p_k)
s′(x)≡s(x) (SP_p_k)
v(x)≡r′(x)s′(x) (SP_p_k′).

Persistent factorizations as lifts of factorizations mod p:

The following theorem allows polynomials U(x) and ζ(x) modulo p to be determined from a factorization modulo p of v(x). A standard polynomial factorization may then be obtained by applying a lift.

Theorem 5. Suppose that v(x)≡a(x)b(x) (mod p) where a, b are polynomials mod p, and a(0)≡b(0)≡ω₀(mod p). Then the polynomials

A₁(x)=ω₀+ω₁x
ζ(x)=b(x)−b(0)−b′(0)x mod p
U(x)=(a(x)−b(x))/2 mod p

satisfy

A₁(x)−u₁x+2U(x)+ζ(x)=a(x)
A₁(x)−u₁x+ζ(x)=b(x),

where u₁=U′(0). That is,

(A₁(x)−u₁x+2U(x)+ζ(x))(A₁(x)−u₁x+ζ(x))≡v(x) (mod p).

Proof. Write a(x)=ω₀+a₁x+a₂x²+ . . . , b(x)=ω₀+b₁x+b₂x²+ . . . Then since a(x)b(x)≡v(x)≡ω₀²+2ω₀ω₁x+O(x²) (mod p),

it follows that

2ω₁=a₁+b₁

and so u₁=(a₁−b₁)/2=ω₁−b₁Now,

$\begin{matrix} A_{1} (x) - u_{1} x + ζ (x) = ω_{0} + ω_{1} x - (ω_{1} - b_{1}) x + ζ (x) \\ = ω_{0} + b_{1} x + ζ (x) \\ = b (x) . \end{matrix}$

Also, since 2U(x)=a(x)−b(x),

$\begin{matrix} A_{1} (x) - u_{1} x + 2 U (x) + ζ (x) = ω_{0} + 1 / 2 (α_{1} + b_{1}) x - 1 / 2 (a_{1} - b_{1}) x + a (x) - b (x) + ζ (x) \\ = ω_{0} + b_{1} x + a (x) - b (x) ζ (x) \\ = a (x) \end{matrix}$

as claimed.□

Carry Phase

The final phase is concerned with an equation of the form

A²=T·N+correction

where the correction is a multiple of p^M. That is

A²=T·N+k·p^M

expresses A²as the sum of a main term T·N and a correction k·p^M. To analyze the correction term in more detail, a standard polynomial factorization yields a standard polynomial A(x) and a roster of pairs of standard polynomials (U(x), V(x)) such that

(A(x)−U(x)−V(x))(A(x)+U(x)−V(x))−v(x)≡0 (SP_p_k). (87)

Consider the case where k=[M,M−1, . . . , 2,1]. Then, evaluating at x=p yields

(A(p)−U(p)−V(p))(A(p)+U(p)−V(p))≡v(p) (mod p^M).

This equation implies that the difference

(A(p)−U(p)−V(p))(A(p)+U(p)−V(p))−v(p)

is a multiple of p^M, which shall be thought of as a carry, comprised of the carries from the individual terms of the difference (A−U−V)(A+U−V)−v, and deferred to the final phase of the process.

In the carry phase, the roles of the correction term and main term are reversed. What was formerly the correction term, the “carry” −k·p^Mis now the main term. And what was formerly the main term T·N is now the correction.

Geometric Semigroup Law

Henceforth, set A=A(p), U=U(p), V=V(p) with U≡0 (mod p), V≡0 (mod p²), Let C be an integer for which (A−U−V)(A+U−V)−N≡C (mod V), which is to say that:

(A−U−V)(A+U−V)−N=BV+C

for some integers B and C. Assume that C does not share a factor with N. Regard the integer V as a parameter and consider the quadratic polynomial in V:

q(V)=(A−U−V)(A+U−V)−BV−C.

Note that q(V)≡0 (mod N₀). The discriminant of this quadratic is

Δ=B²+4(U²+AB+C).

To facilitate the goal of factorization of q(V), it is desired to change parameters (U, V, C) such that the discriminant becomes a perfect square, because in this case Δ will factor over the integers.

A set of rescalings of the parameters is proposed that shall preserve the property of being a perfect square. Specifically, rescale U, V, C such that CU and UV remain constant. To this end, introduce free homogeneous parameters X₀, X₁and:

- rescale C so that X₀C′≡X₁(mod N₀);
- rescale V so that X₁V≡X₀CV′ (mod N₀); and
- rescale U so that X₀U≡X₁U′ (mod N₀).

Prolong by introducing a parameter X₂such that C²Δ=X₂²(mod N), and X₃such that X₀X₃≡X₁²(mod N). Then points [X₀, X₁, X₂, X₃] are desired such that the quadratic equations are satisfied:

$\begin{matrix} \begin{matrix} Q_{1} : & X_{0} X_{3} - X_{1}^{2} & \equiv 0 & (\mod N_{0}) \\ Q_{2} : & 4 X_{1} X_{3} + (B^{2} + 4 A B) X_{0} X_{3} + 4 U^{2} C^{2} X_{0}^{2} - 4 X_{2}^{2} & \equiv 0 & (\mod N_{0}) \end{matrix}} & (88) \end{matrix}$

A factor is found once one of the scaling parameters [X₀, X₁, X₂, X₃] has a non-trivial factor in common with N. Note that the first equation of (88) is a cylinder over a plane conic. The lines X₀, X₁, X₃=constant are the reguli of the cylinder. An initial non-trivial point on the intersection is [X₀, X₁, X₂, X₃]=[1,0,CU,0].

The following operations are well-defined on the quartuples P: [X₀, X₁, X₂, X₃] satisfying (88), are defined:

The point [X₀, X₁, −X₂, X₃] is the other point on the quadric Q₂lying on the same regulus as P.

Given two points in general position P: [X₀, X₁, X₂, X₃], Q: [Y₀, Y₁, Y₂, Y₃], there is a third point R: [Z₀, Z₁, Z₂, Z₃] satisfying both (88) such that OPQR are coplanar, where O=[0,0,0,1].

Let a=(B²/4+AB) mod N₀. Let [X₀, X₁, X₂, X₃] be coordinates of the first point and [Y₀, Y₁, Y₂, Y₃] coordinates of the second point, so the congruences hold:

X₂²≡X₁X₃+aX₀X₃+C²U²X₀²(mod N₀)
Y₂²≡Y₁Y₃+aY₀Y₃+C²U²Y₀²(mod N₀).

Then the coordinates of the third point [Z₀, Z₁, Z₂, Z₃] are determined mod N₀by:

- If [X₀: X₁: X₂: X₃]=[Y₀: Y₁: Y₂: Y₃], then

$\begin{matrix} Z_{0} = 16 X_{0}^{4} X_{2}^{4} \\ Z_{1} = X_{0}^{4} X_{2}^{2} (4 X_{3}^{2} - 1 6 C^{2} U^{2} X_{0}^{2} a - 3 2 C^{2} U^{2} X_{0} X_{1}) \\ Z_{2} = - 2 X_{0} X_{2} (\begin{matrix} 8 X_{0}^{3} X_{1}^{3} a^{3} + 3 6 X_{0}^{2} X_{1}^{4} a^{2} - 8 X_{0}^{3} X_{1} X_{2}^{2} a^{2} + 5 4 X_{0} X_{1}^{5} a - \\ - 36 X_{0}^{2} X_{1}^{2} X_{2}^{2} a + 2 7 X_{1}^{6} - 3 6 X_{0} X_{1}^{3} X_{2}^{2} + 8 X_{0}^{2} X_{2}^{4} \end{matrix}) \\ Z_{3} = {(4 X_{0}^{2} X_{1}^{2} a^{2} + 1 2 X_{0} X_{1}^{3} a - 4 X_{0}^{2} X_{2}^{2} a + 9 X_{1}^{4} - 8 X_{0} X_{1} X_{2}^{2})}^{2} \end{matrix}$

- Otherwise,

$\begin{matrix} Z_{0} = {(X_{1} Y_{0} - X_{0} Y_{1})}^{4} X_{0}^{2} Y_{0}^{2} \\ Z_{1} = X_{0}^{3} {Y_{0}^{3} (X_{1} Y_{0} - X_{0} Y_{1})}^{2} (2 C^{2} U^{∠} X_{0} y_{0} + 2 X_{1} Y_{1} a + X_{3} Y_{1} - 2 X_{2} Y_{2} + X_{1} Y_{3}) \\ Z_{2} = X_{0}^{3} Y_{0}^{3} (X_{1} Y_{0} - X_{0} Y_{1}) (\begin{matrix} - 4 C^{2} U^{2} X_{0} X_{2} Y_{0}^{2} + 4 C^{2} U^{2} X_{0}^{2} Y_{0} Y_{2} + X_{1} X_{3} Y_{0} Y_{2} + \\ + 3 X_{0} X_{3} Y_{1} Y_{2} - 3 X_{1} X_{2} Y_{0} Y_{3} - X_{0} X_{2} Y_{1} Y_{3} - \\ - 2 a (X_{1} X_{2} Y_{0} Y_{1} - X_{0} X_{3} Y_{0} Y_{2} - X_{0} X_{1} Y_{1} Y_{2} + X_{0} X_{2} Y_{0} Y_{3}) \end{matrix}) \\ Z_{3} = {(\begin{matrix} {(X_{1} Y_{0} - X_{0} Y_{1})}^{2} X_{0} Y_{0} a + X_{1}^{3} Y_{0}^{3} - X_{0} X_{2}^{2} Y_{0}^{3} - X_{0} X_{1}^{2} Y_{0}^{2} Y_{1} - \\ - X_{0}^{2} X_{1} Y_{0} Y_{1}^{2} + X_{0}^{3} Y_{1}^{3} + 2 X_{0}^{2} X_{2} Y_{0}^{2} Y_{2} - X_{0}^{3} Y_{0} Y_{2}^{2} \end{matrix})}^{2} \end{matrix}$

The following theorem motivates this choice of polynomial transformation:

Theorem 6. Suppose that the points [X₀: X₁: X₂: X₃] and [Y₀: Y₁: Y₂: Y₃] obey (88). Then [Z₀: Z₁: Z₂: Z₃] given above also satisfies (88).

This can be proven by a brute-force calculation.

Polynomial Reformulation

Similarly to how the integer factorization problem can be partially reformulated using standard polynomials, the treatment of the carries can be reformulated using polynomial operations. This reformulation has the advantage of being more general than the prior discussion.

Suppose that A(x) has been determined, and U(x) is a polynomial coming from a standard polynomial factorization of v. There is an associated polynomial V(x), such that

(A(x)−U(x)−V(x))(A(x)+U(x)−V(x))≡v(x) (mod p).

The carry is the obstruction to factorization of N that comes when evaluated at x=p:

(A−U−V)(A+U−V)−N

where the notations are used A=A(p), U=U(p), V=V(p). One would like a way to manipulate this carry in order to guarantee a greater likelihood of factorization. To that end, let C be an integer for which (A−U−V)(A+U−V)−N≡C (mod V), which is to say that:

(A−U−V)(A+U−V)−N=BV+C

for some integer C. Assume that C does not share a factor with N. Replace the integer V by an indeterminate v, and then consider the quadratic polynomial in v:

q(v)=(A−U−v)(A+U−v)−Bv−C.

Note that q(V)≡0 (mod N). The constants A, U , B, C are regarded as parameters in this quadratic. In particular, its discriminant

Δ=B²+4(U²+AB+C)

depends on all four parameters. To change parameters to achieve a factorization, first rescale the parameters v, C, U, in such a way that Uv, UC, and v/C mod N₀remain constant (modulo N₀). Consider therefore a residue x modulo N₀, and rescalings of the form v→xv, C→xC mod N₀, and U→x⁻¹U where x⁻¹is computed modulo N₀so that xx⁻¹≡1 (mod N₀). (Assume that x has no factor in common with N₀.) The new quadratic is thus

{tilde over (q)}(v)=(A−x⁻¹U−xv)(A+x⁻¹U−xv)−xBv−xC,

and the new discriminant modulo N₀is

{tilde over (Δ)}≡4Cx³+(B²+4AB)x²+4U²(mod N₀).

Now, it is desired that the discriminant becomes a perfect square modulo N₀. That is, a solution is desired to

y²≡{tilde over (Δ)} (mod N₀).

That is

y²≡4Cx³+(B²+4AB)x²+4U²(mod N₀).

Multiply both sides by C²/4 (mod N₀):

$\frac{C^{2}}{4} y^{2} \equiv C^{3} x^{3} + (\frac{B^{2}}{4} + A B) C^{2} x^{2} + C^{2} U^{2} (\mod N_{0}) .$

Letting Y=Cy/2 and X=Cx, this equation becomes

$\begin{matrix} y^{2} \equiv X^{3} + (\frac{B^{2}}{4} + A B) X^{2} + C^{2} U^{2} (\mod N_{0}) . & (89) \end{matrix}$

Let f(X) denote the right-hand side of (89). Associate to any solution of (89) an affine-linear form ξ with the property that ξ(X)=0. The pair (ξ, Y) can be used in place of a solution (X, Y).

Note that ξ(X)=0, Y=CU is a solution. The following semigroup law takes a pair of solutions (ξ₁, Y₁) and (ξ₂, Y₂) and produces a third solution (ξ₃, Y₃).

- If degξ₁<1, then let (ξ₃, Y₃)←(ξ₂, Y₂). Else degξ₂<1, then let (ξ₃, Y₃)←(ξ₁, Y₁). Return (ξ₃, Y₃) and exit.
- Else let g=gcd(ξ₁, ξ₂).
- If g=1, let μ be the linear polynomial such that μ≡Y_i(mod for i=1,2. Let ξ₃=(f−μ²)/(ξ₁ξ₂), and let Y₃be the value of μ evaluated at the zero of ξ₃. Return the pair (ξ₃, Y₃) and exit.
- Else if Y₁+Y₂=0, then return (ξ₃, Y₃)←(1,0) and exit.
- Otherwise, let μ=((Y₁+f/Y₁)/2) mod ξ₁², where the multiplicative inverses are determined modulo N₀. Then let ξ₃=(f−μ²)/(ξ₁²), and let Y₃be the value of μ evaluated at the zero of ξ₃. Return (ξ₃, Y₃) and exit.

To turn this into a factorization method, it is desirable to have versions of the polynomial extended Euclid algorithm (xgcd) and Chinese remainder theorem (crt) that return a factor if their inputs are degenerate modulo N₀: i.e., if a factor is “discovered” by polynomial division.

The Semigroup Law in General

In general, suppose that F is a (fixed) squarefree polynomial modulo N₀of even degree 2k≥4. Let ∂ be the set of polynomials (α(x), β(x), γ(x)) modulo N, where β is a monic polynomial, degα<degβ<k and

α(x)²≡F(x)+β(x)γ(x) (mod N₀).

Define a binary operation ⊕ on δ as follows. Suppose given a pair X₁=(α₁, β₁, γ₁), X₂=(α₂, β₂, γ₂). Let δ be the greatest common divisor of β₁, β₂, and d the greatest common divisor of α₁+α₂, β₁, β₂. Let β₃=β₂/d²mod N₀. Then there exists a polynomial α₃of degree<degβ₃such that

α₃≡α₁(mod β₁/δ)
α₃≡α₂(mod β₂/δ)
F−α₃²≡0 (mod β₃).

To determine this α₃, there exist polynomials σ₁and and σ₂such that

σ₁β₁+σ₂β₂≡δ (mod N₀)

and polynomials ρ and ϵ such that

ρδ+ϵ(α₁+α₂)≡d (mod N₀).

Then

$α_{3} = \frac{1}{d} (ρ (σ_{2} β_{2} α_{1} + σ_{1} β_{1} α_{2}) + ϵ (F + α_{1} α_{2})) (\mod β_{3}) .$

Next, put

$γ_{3} = \frac{F - α_{3}^{2}}{β_{3}} (\mod N_{0}) .$

While degβ₃≥k, let

$β_{3} = γ_{3}, γ_{3} = \frac{F - α_{3}^{2}}{β_{3}} (\mod N_{0}),$

and

α₃=−α₃(mod β₃).

Finally make β₃monic by dividing by its leading coefficient. The binary operation ⊕ is thus defined as

X₁⊕X₂=X₃

where

X₃=(α₃, β₃, γ₃).

Since N₀is assumed to be composite, the polynomial division operations (or the normalization of β₃in the last step) of the semigroup law may not be well defined. In that case, a factor of N₀shall have been discovered, and the process terminates.

Examples
Small Example

Let N₀=797×991=789827. Select the parameters p=13, M=4, and k=[1,1,1,1]. Note that N₀is a quadratic residue mod p, so that α=1 is a possible candidate α. Note that T=790087 is a prime greater than N₀such that N₀≡Tα²(mod p). Then, with N=TN₀=624032044949, the digits of N modulo p form the polynomial:

v(x)=1+5x+5x²+6x³+9x⁴+7x⁵+12x⁶+12x⁷+10x⁸+6x⁹+4x¹⁰.

Modulo p=13, this polynomial factorizes as:

v(x)=(4)(x²+8)(x³+6x²+4x+1)(x⁵+2x⁴+11x³+7x²+11x+11).

The coefficients ω₀, ω₁, ω₂, ω₃are determined so that

A(x)=ω₀+ω₁x+ω₂x²+ω₃x³

obeys

A(x)²≡v(x) (mod p, x⁴).

To begin the process, let ω₀be a root of ω₀²≡v₀(mod p), for instance ω₀=1 satisfies 1²≡1 (mod 13). The remaining coefficients w_imust satisfy congruences

v₁≡2ω₀ω₁(mod p)
v₂≡2ω₀ω₂+ω₁²(mod p)
v₃≡2ω₀ω₃+2ω₁ω₂(mod p)

The first of these congruences reads

5≡2ω₁(mod 13)

and a solution of ω₁=9 is found by modular inversion (2⁻¹≡7 (mod 13)). The second congruence now reads

5≡2ω₂+3 (mod 13)

giving ω₂=1. The third congruence is now

6≡2ω₃+18 (mod 13)

That is, 2ω₃≡1 (mod 13), giving ω₃=7. Thus the polynomial

A(x)=1+9x+x²+7x³

satisfies

A(x)²≡v(x) (SP_p_k)

With the trivial divisor of 1, the associated polynomial U is

$\begin{matrix} U = {SP}_{p^{k}} (\frac{ω_{0}}{2} (1 - \frac{v}{v_{0}})) \\ = 4 x + 4 x^{2} + 10 x^{3} \end{matrix} .$

The polynomial V is now determined from the data of v, A, U as

V=A±√{square root over (v+U²)} (SP)

where the square root is taken in p^k-standard polynomials, and the sign is chosen so that the result is O(x²). Note that

v+U²≡1+5x+8x²+12x³(SP).

Denoting √{square root over (v+U²)}=σ₀+σ₁x+σ₂x²+σ₃x³(SP), the unknown coefficients σ₀, σ₁, σ₂, σ₃must obey

1≡σ₀²(mod p)
5≡2σ₀σ₁(mod p)
8≡2σ₀σ₂+ν₁²(mod p)
12≡2σ₀σ₃+2σ₁σ₂(mod p)

where the integers on the left-hand side are the corresponding coefficients of the standard part of v+U². Solving this system as above gives or σ₀=ω₀=1, σ₁=ω₁=9, σ₂=9, σ₃=3. Thus:

V=A−(1+9x+9x²+3x³)≡4x²+5x³(mod 13).

In summary, the polynomials A, U, V are

A(x)=1+9x+x²+7x³
U(x)=4x+4x²+10x³
V(x)=4x²+5x³

Evaluating these polynomials at x=p gives integers

A(p)=15666, U(p)=22698, V(p)=9633

which are henceforth denoted A, U, V, respectively.

However, observe that the difference

(A−U−V)(A+U−V)−N=−624510847064

is not zero, nor do either r=A−U−V nor s=A+U−V share a nontrivial factor with N₀. So, decompose the difference mod V:

−624510847064=(−64830359)V+1183.

This gives values for the parameters B=−64830359 and C=1183.

The objective is now to consider variables x such that the discriminant

$\begin{matrix} Δ = x^{3} + (\frac{B^{2}}{4} + AB) x^{2} + U^{2} C^{2} & \mod N_{0} \\ = x^{3} + 536317 x^{2} + 154667 \end{matrix}$

is a perfect square modulo N₀. To that end, let (ξ₁, y₁) be a pair comprising the monic affine -linear form ξ₁modulo N₀in one variable, and the integer y₁modulo N₀, given by:

ξ₁=x,
y₁=CU mod N₀=787443.

The pair (ξ₁, y₁) is the initial point for an iteration. The next point in the iteration (ξ₂, y₂) shall be determined as follows:

- Let ξ₂=ξ₁²=x²and y₂=(Δ+y₁²) mod ξ₂=152283.
- Now let

$ξ_{2} = \frac{Δ - y_{2}^{2}}{ξ_{2}}$

and y₂=y₂mod ξ₂. So ξ₂=x+536317 and y₂=2384.

To find the next point (ξ_n+1, y_n+1) from the previous point (ξ_n, y_n), the following procedure can be used.

- If ξ_n≡ξ₁(mod N₀), let δ=ξ₁, σ₁=0, σ_n=1. Otherwise, ξ_n−ξ₁is a nonzero constant modulo N₀. If it is not invertible modulo N₀, then a factor is found. Otherwise, let δ=1, λ=(ξ_n−ξ₁)⁻¹(mod N₀), σ₁=−λ, σ₂=λ. In either case, one has σ₁ξ₁+σ_nξ_n=δ where δ is the polynomial gcd of ξ₁and ξ_n.
- Next, if y_n≡−y₁(mod N₀), then let d=δ, ρ=1, ϵ=0. Else, if y_n+y₁is not invertible modulo N₀, it means that a factor is found. Otherwise, let d=1, ρ=0, and λ=(y_n+y₁)⁻¹mod N₀. In any case, the congruence ρδ+ϵ(y₁+y_n)≡d (mod N₀) now holds, where d is the polynomial gcd of δ and y₁+y_n.
- Let ξ_n+1←ξ_nξ₁/d². Define y_n+1(mod N₀) such that the congruence holds:
  
  dy_n+1≡ρ(σ₁ξ₁y_n+σ_nξ_ny₁)+ϵδ (mod ξ_n+1)
  
  where the modulo is with respect to polynomial division by ξ_n+1(mod N₀). (Note: because at this step, ξ_n+1is guaranteed to be monic, no factorization will be discovered here.) If ξ_n+1is quadratic rather than linear, then let

$ξ_{n + 1} \leftarrow \frac{Δ - y_{n + 1}^{2}}{ξ_{n + 1}} .$

Test if the greatest common divisor of the leading coefficient of ξ_n+1and N₀is nontrivial: if so, then it means a factor is found. Otherwise, normalize ξ_n+1by dividing (modulo N₀) by its leading coefficient. Now update y_n+1:

y_n+1←−y_n+1mod ξ_n+1,

with the same meaning of mod.

To illustrate, to find (ξ₃, y₃) given the previously determined (ξ₁, y₁) and (ξ₂, y₂), note that ξ₂−ξ₁=536317, whose inverse modulo N₀is 114631. Let δ=1, σ₁=−114631 and σ₂=114631. Now, y₂≡−y₁(mod N₀), so let d=δ=1, ρ=1, ϵ=0. Let

$ξ_{3} = \frac{ξ_{1} ξ_{2}}{d^{2}} = x^{2} + 5 3 6 3 1 7 x$

and

$\begin{matrix} y_{3} = (- 11 4 631 ξ_{1} y_{2} + 1 1 4 631 ξ_{2} y_{1}) \mod ξ_{3} \\ = (- 11 4 6 3 1) (2 3 8 4) x + 1 1 4 6 3 1 (7 8 7 4 4 3) (x + 5 3 6 3 17) \mod ξ_{3} \\ = 7895 0 3 x + 7 8 7 4 4 3 \end{matrix}$

after taking coefficients modulo N₀and obtaining the remainder from polynomial long division by ξ₃. Because ξ₃is quadratic and not linear, replace it with

$ξ_{3} \leftarrow \frac{Δ - y_{3}^{2}}{ξ_{3}} = x + 684851$

and update y₃via

y₃←−y₃(mod ξ₃)=52047.

The results of continuing this process for successive iterations is presented in Table 1. The final line gives y=704548. The gcd with N₀is then gcd(N₀, y)=gcd(789827,704548)=797, and so a factor of N₀has been found. (The other factor can be obtained by division: N₀/797=991.)

TABLE 1

First seven iterations of the process

\frac{ξ (x)}{x}

\frac{y}{787443}

x + 536317
2384

x + 684851
52047

x + 225605
682442

x + 572007
587941

x + 538246
275646

x + 369405
385164

x + 711460
704548

Large Example

Consider the integer of 201 digits, composed of two large prime factors:

N₀=22967931147801119577057392151555297515908528818203114721284113333931 69938767039237859844411753308995545617879257906080518909576843342909 2047830345207451926941075428246929075122113723634319517491078477.

Let p=1299721 and α=89. The integer

T=229679311478011195770573921515552975159085288182031147212841133339316 99387670392378598444117533089955456178792579060805189095768433429092 047830345207451926941075428246929075122113723634319517592414719

is a prime greater than N₀such that N₀≡Tα²(mod p). Then

v=1008831 +1136976x¹+956702x²+288775x³+618031x⁴+786694x⁵++959534x⁶+982257x⁷+1079763x⁸+606595x⁹+1119948x¹⁰+315803x¹¹++163055x¹²+277569x¹³+397201x¹⁴+845775x¹⁵+325656x¹⁶+401316x¹⁷++938657x¹⁸+445914x¹⁹+700279x²⁰+1078663x²¹+1021990x²²+267966x²³++980433x²⁴+864073x²⁵+424418x²⁶+501729x²⁷+36106x²⁸+24162x²⁹++27979x³⁰+250922x³¹+289611x³²+1050104x³³+1050583x³⁴+442750x³⁵++1280878x³⁶+1072587x³⁷+460680x³⁸+1126283x³⁹+679997x⁴⁰+1014612x⁴¹++1071670x⁴²+478751x⁴³+479058x⁴⁴+1180741x⁴⁵+832872x⁴⁶+508143x⁴⁷++63586x⁴⁸+170412x⁴⁹+851654x⁵⁰+673439x⁵¹+1294284x⁵²+760587x⁵³++906884x⁵⁴+973676x⁵⁵+50261x⁵⁶+1032425x⁵⁷+903379x⁵⁸+1286973x⁵⁹++180314x⁶⁰+1066029x⁶¹+213083x⁶²+1032351x⁶³+1284994x⁶⁴+20x⁶⁵.

It is now desired to find integers ω₀, ω₁, . . . modulo p such that

$\begin{matrix} v_{0} & \equiv ω_{0}^{2} & (\mod p) \\ v_{1} & \equiv 2 ω_{0} ω_{1} & (\mod p) \\ v_{2} & \equiv 2 ω_{0} ω_{2} + ω_{1}^{2} & (\mod p) \\ v_{3} & \equiv 2 ω_{0} ω_{3} + 2 ω_{1} ω_{2} & (\mod p) \\ v_{4} & \equiv 2 ω_{0} ω_{4} + 2 ω_{1} ω_{3} + ω_{2}^{2} & (\mod p) \\ ⋮ & ⋮ & ⋮ \\ v_{k} & \equiv \sum_{i = 0}^{k} ω_{i} ω_{k - i} & (\mod p) \\ ⋮ & ⋮ & ⋮ \end{matrix}$

With ω=649676, the unique integers ω_idetermined by these congruences are found in 1 millisecond on a single thread of an Intel(®) Core(™) i7-10700 CPU at 2.90 GHz, and are tabulated in Table 1, up to M=99.

ω_ifor 0 ≤ i < M = 99 in the example

ω₀
649676
ω₁
176555
ω₂
1210316

ω₃
880935
ω₄
990258
ω₅
1193444

ω₆
61049
ω₇
404278
ω₈
301580

ω₉
869756
ω₁₀
1182221
ω₁₁
157526

ω₁₂
106958
ω₁₃
412412
ω₁₄
97078

ω₁₅
1058759
ω₁₆
601585
ω₁₇
283394

ω₁₈
30547
ω₁₉
1154202
ω₂₀
85723

ω₂₁
1230004
ω₂₂
478092
ω₂₃
124906

ω₂₄
537915
ω₂₅
1149285
ω₂₆
811132

ω₂₇
25307
ω₂₈
181194
ω₂₉
334252

ω₃₀
1122689
ω₃₁
1274176
ω₃₂
582005

ω₃₃
65984
ω₃₄
767541
ω₃₅
966192

ω₃₆
26289
ω₃₇
1255833
ω₃₈
1277307

ω₃₉
930123
ω₄₀
666184
ω₄₁
168986

ω₄₂
1095395
ω₄₃
653414
ω₄₄
28041

ω₄₅
353354
ω₄₆
273125
ω₄₇
980499

ω₄₈
218587
ω₄₉
739819
ω₅₀
632834

ω₅₁
1055915
ω₅₂
715651
ω₅₃
156745

ω₅₄
885257
ω₅₅
1024532
ω₅₆
1188376

ω₅₇
296168
ω₅₈
474923
ω₅₉
1083529

ω₆₀
948621
ω₆₁
1024778
ω₆₂
539727

ω₆₃
53812
ω₆₄
176433
ω₆₅
825291

ω₆₆
1093610
ω₆₇
91679
ω₆₈
1019182

ω₆₉
937590
ω₇₀
754793
ω₇₁
441590

ω₇₂
343128
ω₇₃
507560
ω₇₄
272679

ω₇₅
536524
ω₇₆
1069159
ω₇₇
255311

ω₇₈
325334
ω₇₉
919125
ω₈₀
541698

ω₈₁
995762
ω₈₂
679297
ω₈₃
910068

ω₈₄
1116934
ω₈₅
832307
ω₈₆
1066863

ω₈₇
302115
ω₈₈
360316
ω₈₉
188493

ω₉₀
260955
ω₉₁
286776
ω₉₂
6525

ω₉₃
1128692
ω₉₄
842066
ω₉₅
135610

ω₉₆
382721
ω₉₇
705108
ω₉₈
658922

The complete factorization of v(x) modulo p is determined using the procedure described in 2 milliseconds on a single thread of an Intel(®) Core(™) i7-10700 CPU at 2.90 GHz:

$v = (20) \times (x + 1164545) \times (x^{3} + 401265 x^{2} + 1232398 x + 446873) \times (\begin{matrix} x^{25} + 1126379 x^{24} + 1007770 x^{23} + 566898 x^{22} + 468042 x^{21} + \\ 1072384 x^{20} + 1286593 x^{19} + 1165876 x^{18} + 531903 x^{17} + 427926 x^{16} + \\ 731970 x^{15} + 461270 x^{14} + 245668 x^{13} + 98598 x^{12} + 641038 x^{11} + \\ 605298 x^{10} + 217543 x^{9} + 174186 x^{8} + 1081462 x^{7} + 315399 x^{6} + \\ 203594 x^{5} + 659685 x^{4} + + 325480 x^{3} + 150243 x^{2} + 11211680 x + \\ 456996 \end{matrix}) \times (\begin{matrix} x^{36} + 361419 x^{35} + 314100 x^{34} + 375904 x^{33} + 338514 x^{32} + 648035 x^{31} + \\ 529983 x^{30} + 640529 x^{29} + 382523 x^{28} + 920414 x^{27} + 899851 x^{26} + \\ 276259 x^{25} + 227435 x^{24} + 1192845 x^{23} + 262010 x^{22} + 846862 x^{21} + \\ 475004 x^{20} + 31544 x^{19} + 1140348 x^{18} + 914003 x^{17} + 107624 x^{16} + \\ 350295 x^{15} + 407742 x^{14} + 138534 x^{13} + 756626 x^{12} + 391910 x^{11} + \\ 83332 x^{10} + 741465 x^{9} + 822812 x^{8} + 456431 x^{7} + 890299 x^{6} + \\ 181841 x^{5} + 852774 x^{4} + + 499863 x^{3} + 248842 x^{2} + 107144 x + 399396 \end{matrix})$

Up to a constant multiple, there are 2⁴=16 divisors of the polynomial v(x) modulo p, and so 16 pairs of polynomials (U(x),V(x)) to inspect. Inspecting all of these, the procedure discovers a factor at

$U (x) = 1123 1 6 6 x + 523890 x^{2} + 9 2 7 1 4 2 x^{3} + 167222 x^{4} + 8 2 2 8 2 3 x^{5} + 502764 x^{6} + 583838 x^{7} + 1249813 x^{8} + 1012538 x^{9} + 2 0 3 8 0 5 x^{1 0} + 141747 x^{1 1} + 1 4 5 3 1 x^{1 2} + 729864 x^{1 3} + 9 1 6 8 6 9 x^{1 4} + 1 1 1 1 8 1 0 x^{1 5} + 1205502 x^{1 6} + 233558 x^{1 7} + 2 7 0 2 3 7 x^{1 8} + 159711 x^{1 9} + 8 7 5 4 2 3 x^{2 0} + 189604 x^{2 1} + 411354 x^{2 2} + 793239 x^{2 3} + 2657 x^{2 4} + 738498 x^{2 5} + 9 9 7 7 4 x^{2 6} + 1216546 x^{2 7} + 683420 x^{2 8} + 486140 x^{2 9} + 7 4 6 7 9 9 x^{3 0} + 997485 x^{3 1} + 381191 x^{3 2} + 2 0 7 1 3 8 x^{3 3} + 443132 x^{3 4} + 1075495 x^{3 5} + 1035499 x^{3 6} + 245944 x^{3 7} + 5 5 0 7 2 4 x^{3 8} + 1211194 x^{3 9} + 206135 x^{40} + 108418 x^{4 1} + 62783 x^{42} + 765632 x^{4 3} + 1 0 5 7 9 8 2 x^{4 4} + 1 1 4 0 8 9 6 x^{4 5} + 594000 x^{4 6} + 656521 x^{4 7} + 3 2 4 2 2 2 x^{4 8} + 898643 x^{4 9} + 9 9 9 1 1 3 x^{5 0} + 4 8 0 8 5 5 x^{5 1} + 753753 x^{5 2} + 1185547 x^{53} + 9 7 8 1 2 9 x^{54} + 523936 x^{55} + 3 5 3 5 9 x^{56} + 4 0 7 8 6 0 x^{5 7} + 252530 x^{58} + 700899 x^{59} + 1 0 3 9 5 6 1 x^{6 0} + 520664 x^{6 1} + 2 4 7 1 3 7 x^{6 2} + 1217984 x^{6 3} + 200730 x^{6 4} + 8 7 0 0 0 3 x^{6 5} .$

The entire procedure takes 5263 seconds on a Slurm cluster consisting of 4 PCs, each with 16 threads running on an Intel(®) Core(™) i7-10700 CPU at 2.90 GHz.

Appendices
The Euclidean Algorithm

The extended Euclidean algorithm is an iteration of the division algorithm that allows one to compute s, t such that

sa+tb=gcd(a, b),

Inputs: Positive integers a and b.

Outputs: Integers s,t,d

sa+tb=d

where

d=inf{sa+tb|s,tϵ custom character , sa+tb>0}

is the greatest common divisor of a and b.

- 1. Let α←a, β←b, S←1, T←0, s←0, t←1
- 2. If β=0 then output s, t, α and exit the program.
- 3. Let q and r be the unique integers (from the division algorithm) such that
  
  α=qβ+r
- 4. Let (S, s)←(s−q*S, S), (T, t)←(t−q*T, T), α←β, β←r, and go to 2.

Python Source Code

Here is an implementation in Python:

def
euclid(a, b) :

S=0

T=1

s=1

t=0

alpha = a

beta = b

while beta != 0:

(q, r) = divmod(alpha, beta)

(S, s) = (s−q*S, S)

(T, t) = (t−q*T, T)

alpha=beta

beta=r

return(s, t, alpha)

Modular Inversion

Given a modulus M and integer a relatively prime to M, a modular inverse of a is an integer b such that ab≡1 (mod M). The Euclidean algorithm can be used to determine a modular inverse as follows. Since a and M are relatively prime, apply the Euclidean algorithm to find integers s, t such that

sa+tM=1.

Then, sa=1−tM implies sa≡1 (mod M). That is b=s is a modular inverse of a.

Euclidean Algorithm for Polynomials Modulo N

Suppose that N is an integer, possibly composite.

Inputs: Polynomials a and b modulo N.

Outputs: Integers s, t, d such that

sa+tb=d

where

degd=inf{deg(sa+tb)|s,tϵ custom character , sa+tb≠0}

is the greatest common divisor of a and b, or else a nontrivial factor of N.

- 1. Let α←a, β←b, S←1, T←0, s←0, t←1
- 2. If β=0, then let α₀be the leading coefficient of α. If α₀is not coprime to N, then output their greatest common divisor. Else, output s/a₀, t/a₀, a/a₀and exit the program.
- 3. If the leading coefficient of β is not coprime with N, then output their greatest common divisor. Else let q and r be the unique polynomials (from the division algorithm) such that degr<degα and
  
  α=qβ+r
- 4. Let (S, s)←(s−q*S, S), (T, t)←(t−q*T, T), α←β, β←r, and go to 2.

Python-Sage code

def
euclid(g, a, b) :

S=0

T=1

s=1

t=0

alpha = a

beta = b

while beta != 0:

assert(s*a+t*b == alpha and S*a+T*b == beta)

betad0 = beta.leading_coefficient( )

d = gcd(beta0,beta.base_ring( ).characteristic( ) )

if d > 1:

g.append(d)

return(alpha, s, t)

q = alpha // beta

r = alpha % beta

(S, s) = (s−q*S, S)

(T, t) = (t−g*q*T, T)

alpha=beta

beta=r

alpha0 = alpha.leading_coefficient( )

d = gcd(beta0,beta.base_ring( ).characteristic( ) )

if d > 1:

g.append (d)

else:

alpha = alpha / alpha0

s = s / alpha0

t = t / alpha0

return(alpha, s, t)

Chinese Remainder Theorem

A version of the Chinese remainder theorem is needed that operates on polynomials modulo N, in the following sense. Suppose that x₁and x₂are two given polynomials modulo N and m₁and m₂are relatively prime, meaning that there exist u₁and u₂such that u₁m₁+u₂m₂≡1 (mod N). Then there exists a polynomial x such that x≡x₂(mod m₁) and x≡x₂(mod m₂), namely x=x₁u₂m₂+x₂u₁m₁. The polynomial x is unique modulo m₁m₂.

The following algorithm is sufficient to produce the required polynomial x, or else to produce a factor of N.

def
crt_f(g, x1, x2, m1, m2) :

(d, u1, u2) = euclid(g, m1, m2)

if d.degree( ) > 0 and g == [ ] :

print(″Unsupported: m1 and m2 must be coprime″)

elif d != 1 and g == [ ] :

d = gcd(d[0],d.base_ring( ).characteristic( ) )

g.apend(d)

return(x1*u2*m2 + x2*u1*m1)

Digit Expansions
Division Theorem

Suppose that p is prime and N, r are given integers. It is of interest to determine whether there is an integer s such that

N≡rs (mod p^k). (90)

Basically one can perform ordinary digitwise long division to compute s mod p^kfor which this holds. Note that this can be done for any r that is not divisible by p, so that solutions of (90) do not confer anything about potential factors of N. More precisely:

Theorem 7. Let N be an integer. For any integer r not divisible by p, there exists for every positive k a unique integer s with 0≤S s<p^ksuch that (90) holds. The solution s=s_kto (90) depends only on the reduction of r modulo p^k. Furthermore, when r is fixed, s_k≡s_l(mod p^k) whenever k<l.

Proof. Since p is prime and r is not divisible by p, gcd(r, p^k)=1 for all k≥0. From the division algorithm, there exist integers α_k, β_ksuch that

α_kr+β_kp^k=1. (91)

Moreover, the residues α_k(mod p^k), β_k(mod r) of a pair satisfying (91), are uniquely determined. Let s be the unique residue in 0≤s<p^ksuch that Nα_k≡s (mod p^k). Then

rs≡N·(α_kr)=N·(1−β_kp^k)=N−β_kNp^k≡N (mod p^k).

This proves existence.

For the uniqueness of the residue s_k(mod p^k), suppose s, s′ both satisfy (90). Then rs≡rs′ (mod p^k), or r·(s−s′)≡0 (mod p^k). Since r is not divisible by p, this implies that p^k|(s−s′). That is, s≡s′ (mod p^k). The residue s_k(mod p^k) is thus unique.

Finally, since s=s_kand s=s_lboth satisfy N≡rs (mod p^k), it follows by uniqueness of the residue s_kthat s_l≡s_kmod p^k. □

Long Division

Corollary 1. Given the integers N and r as in Theorem 7, there exists a unique sequence of digits (a₀, a₁, . . . ) having the property that, for each k, N≡r·(a₀+a₁p+a₂p²+ . . . +a_kp^k) (mod p^k+1).

One way to find the sequence a_iis by “long division” of r into N, working from the lowest digits to the highest (unlike ordinary long division, which works from the most significant to least).

For example, long division of 137/352 in base p=5 returns the sequence of digits (up to the 18th digit);

1,1,3,4,4,4,2,2,1,4,1,2,4,0,1,1,4,3 . . .

That is,

$s_{1 8} = 1 + 1 p + 3 p^{2} + 4 p^{3} + 4 p^{4} + 4 p^{5} + 2 p^{6} + 2 p^{7} + 1 p^{8} + 4 p^{9} + 1 p^{1 0} + 2 p^{1 1} + 4 p^{1 2} + 0 p^{1 3} + 1 p^{1 4} + 1 p^{15} + 4 p^{1 6} + 3 p^{1 7} = 293 6 8 8 3 406206.$

This integer satisfies

352·s₁₈≡137 (mod p^k)

for k=1, 2, . . . , 18.

The long division can be prolonged to obtain more terms of the digit sequence. For example,

$S_{2 4} = 1 + 1 p + 3 p^{2} + 4 p^{3} + 4 p^{4} + 4 p^{5} + 2 p^{6} + 2 p^{7} + 1 p^{8} + 4 p^{9} + 1 p^{1 0} + 2 p^{1 1} + 4 p^{1 2} + 0 p^{1 3} + 1 p^{1 4} + 1 p^{1 5} + 4 p^{1 6} + 3 p^{1 7} + 2 p^{1 8} + 0 p^{1 9} + 3 p^{2 0} + 3 p^{2 1} + 0 p^{2 2} + 2 p^{2 3} = 255 6 9 0 3 7 9 5 7 6 2 4 956$

which satisfies

352·s₂₄≡137 (mod p^k)

for k=1,2, . . . ,24.

However, despite the fact that and 352·s_k≡137 (mod 5^k) for all k, and s_kand s_lwill share the first k digits whenever l≥k, there is clearly no integer s that satisfies 352·s=137.

Factorization by Trial Division

Consider an example where an integer N=rs has been prepared, say N=250641205046503. With p=29, one has

N=10+14p+11p²+4p³+14p⁴+24p⁵+0p⁶+1p⁷+8p⁸+17p⁹.

The goal of factorization is to find integers r, s>1 such that N=r·s. Assuming r is a candidate divisor, a possible s can be constructed using long division. For example, if a hypothesis is made that the first two digits of r are 12 and 6, that is r≡12+6p (mod p²). Then an s, should it exist, would be found by long division of r into N, tabulated in (92).

$\begin{matrix} \begin{matrix} 25 & 12 \\ 12 & 6 & 10 & 14 \\ 10 & 15 \\ 28 \\ 28 \end{matrix} & (92) \end{matrix}$

Note that there is no obstruction to performing the division out to this number of digits. Corollary 1 implies that “long division” can be carried out to arbitrarily many digits, so there will never be an obstruction. Information on whether r is a divisor of N must therefore come from a magnitude constraint: that is, is the resulting quotient s obtained by long division null-terminated? Since the product (25+12·p) (12+6·p) has fewer digits than N, no information is inferred on whether r could be a divisor of N from this division. It is necessary to consider more digits.

For example, hypothesizing that

r=12+6p+1p²+5p³,

then (93) tabulates the resulting long division.

$\begin{matrix} \begin{matrix} 25 & 12 & 21 & 4 \\ 12 & 6 & 1 & 5 & 10 & 14 & 11 & 4 \\ 10 & 15 & 1 & 10 \\ 28 & 9 & 23 \\ 28 & 18 & 14 \\ 20 & 8 \\ 20 & 18 \\ 19 \\ 19 \end{matrix} & (93) \end{matrix}$

Because the integer r·s is still not as long as N, it is required to specify still more digits. Since N has ten digits mod p, it will only be possible for r·s to have enough digits if at least six digits of r are known. For example, hypothesizing that

r=12+6p+1p²+5p³+23p⁴+26p⁵,

the answer is tabulated in (94).

$\begin{matrix} \begin{matrix} 25 & 12 & 21 & 4 & 4 & 18 & 23 & 6 & 20 & 21 \\ 12 & 6 & 1 & 5 & 23 & 26 & 10 & 14 & 11 & 4 & 14 & 24 & 0 & 1 & 8 & 17 \\ 10 & 15 & 1 & 10 & 28 & 2 & 23 \\ 28 & 9 & 23 & 14 & 21 & 6 & 0 & 8 & 17 \\ 28 & 18 & 14 & 2 & 17 & 2 & 11 \\ 20 & 8 & 12 & 4 & 4 & 18 & 7 & 17 \\ 20 & 18 & 25 & 18 & 22 & 11 & 19 \\ 19 & 15 & 14 & 10 & 6 & 17 & 16 \\ 19 & 25 & 4 & 20 & 5 & 20 & 3 \\ 19 & 9 & 19 & 0 & 26 & 12 \\ 19 & 25 & 4 & 20 & 5 & 20 \\ 13 & 14 & 9 & 20 & 21 \\ 13 & 28 & 21 & 3 & 11 \\ 15 & 16 & 16 & 10 \\ 15 & 2 & 28 & 28 \\ 14 & 17 & 10 \\ 14 & 9 & 7 \\ 8 & 3 \\ 8 & 12 \\ 20 \\ 20 \end{matrix} & (94) \end{matrix}$

Only now, in (94), does it become clear that there is no divisor r≡12 +6p+1p²+5p³+23p⁴+26p⁵(mod p⁶), because the product of r and the digit sequence s resulting from long division (mod p⁶) has more digits than the integer N to be factored.

A seemingly plausible way to factor is to inspect all choices of digits in r, testing whether there is an s such that rs=N. Unfortunately, Corollary 1 implies that any selection of digits in r, provided the first digit is not zero, gives rise to a unique digit sequence s. This digit sequence corresponds to an integer if and only if it terminates. However, to check the termination condition requires to carry the long division out far enough. This example illustrates a general principle that no information on the feasibility of a factor r can be determined until about half the digits of N are specified. So searching over r and using long division is no better than brute force trial division,

Inversion Modulo p^k

Related to the problem of division modulo powers of p is that of inversion: given the digits of an integer a, to find a digit expansion x such that xa≡1 (mod p^k). The following theorem characterizes the solutions to this problem. Later an algorithm shall be given for finding them.

Theorem 8. Let p be prime and a an integer not divisible by p. Then, for any positive integer k, there exists a unique integer x_kbetween 0 and p^ksuch that x_ka≡1 (mod p^k). Furthermore, if k<l, then x_l≡x_k(mod p^k).

Proof For uniqueness, suppose that two solutions x_kand y_kare given. Then:

(x_k−y_k)a≡0 (mod p^k).

Since p is prime and does not divide a, it follows that p^k|(x_k−y_k). That is, x_k−y_k≡0 (mod p^k) or x_k≡y_k(mod p^k). Because x_kand y_kare between 0 and p^kby assumption, they must therefore be equal.

For existence, since a is prime to p^k, the Euclidean algorithm gives integers s, t such that

sa+tp^k=1.

Thus sa≡1 (mod p^k), so setting x_k=s mod p^kgives the required (unique) solution. □

An alternative algorithm can be given that usually requires fewer divisions. Specifically, an iteration is given that computes x₂_j. The case of general x_kcan be inferred from this by exploiting the uniqueness established in the theorem: x_k=x₂_j(mod p^k) for any power of two 2^j≥k.

For j=0, the Euclidean algorithm is applied to obtain s, t such that sa+tp=1. Then take x₁=s mod p, which then satisfies x₁a≡1 (mod p). Next, supposing that x₂_jhas been calculated, let

x₂_j+1=(2−x₂_jα)x₂_jmod p²^j+1.

Let |·|_pdenote the p-adic norm on the integers:

|n|_p=inf{p^−r|p^r|n}.

Note that

|1−x₁α|_p≤p⁻¹ (95)

because p divides 1−x₁a. It shall be shown that

|1−x₂_j+1α|_p≤|1−x₂_jα|_p². (96)

From (95) and (96) it follows by induction that

|1−x₂_jα|_p≤p⁻²^j

for all j; that is:

x₂_jα≡1 (mod p²^j),

as required.

It remains to show that (96) holds. Consider:

$\begin{matrix} 1 - x_{2^{j + 1}} a = 1 - 2 (2 - x_{2^{j}} a) x_{2 j} a \\ = (1 - x_{2 j} a) - (1 - x_{2^{j}} a) x_{2^{j}} a \\ = {(1 - x_{2^{j}} a)}^{2} . \end{matrix}$

So (96) now follows by multiplicativity of the norm.

The Algorithm

To summarize, the following algorithm can be used for inversion:

Inputs: A prime p, non-negative integer j, and integer a that is not divisible by p.

Output: An integer 0<x₂_k<p²^ksuch that x₂_kα≡1 (mod p²^k).

- 1. Let (s, t, 1) be the output of the Euclidean algorithm with inputs a and p, so that
  
  sa+tp=1.

Let x←s mod p.

2. For j=1 to k, let x←(2−x*a)*x mod p²^k.

3. Return x.

Python Source Code

Here is an implementation:

#Compute the inverse of modulo p{circumflex over ( )}(2{circumflex over ( )}k)

def
modInv(a, p, k) :

(s, t, d) = euclid(a, p)

x=s % p

q=p

for _ in range (0, k) :

q *= q

x = ( (2−x*a) *x) % q

return(x)

Square Root of Digit Expansions

Let N be a quadratic residue modulo p.

Theorem 9. Let p be an odd prime and N a positive integer not divisible by p. Suppose that 0≤A₁<p satisfies A₁²≡N (mod p). Then, for any positive integer k there exists a unique integer A_kin 0≤A_k<p^ksuch that A_k²≡N (mod p^k) and A_k≡=A₁(mod p). Furthermore, if k<l, then A_l≡A_k(mod p^k).

Proof For uniqueness, if A_k, B_kare two solutions between 0 and p^k, then

A_k²−B_k²=(A_k−B_k)(A_k+B_k)≡0 (mod p^k).

Reducing modulo p, it follows that p divides A_k−B_k. If p were to also divide A_k+B_k, then p would divide A_kand B_k, and therefore would also divide N (because A_k²≡N (mod p)). But this is contrary to the choice of N. Therefore, p^kdivides A_k−B_k. That is A_k≡B_k(mod p^k). Since A_kand B_kare between 0 and p^kby hypothesis, this implies A_k=B_k, and hence uniqueness. The last statement of the theorem is a consequence of the uniqueness, since A_kand A_lsatisfy A_k²≡N (mod p^k) and A_l²≡N (mod p^k) implies that A_l≡A_k(mod p^k).

This leaves only the matter of existence. The solution A_kis computed as A_k=A₂_jmod p^kfor a power of two 2^j≥k. The solution with k=2^jis constructed by the following iteration

A₂_j+1=2⁻¹(A₂_j+NA₂_j⁻¹) (97)

where the inverses are computed modulo p²^j+1using the algorithm of inversion modulo p.

Note that |N−A₁²|_p≤p⁻¹. It will be shown that

|N−A₂_j+1²|_p=|N−A₂_j|²

so that, by induction,

|N−A₂_j²|_p=p⁻²^j,

i.e.,

A₂_j²≡N (mod p²^j),

as desired.

To prove it, denote by 1/A₂_jthe inverse of A₂_jmodulo p²^j+1. Then:

$\begin{matrix} N - A_{2^{j + 1}}^{2} \equiv N - \frac{1}{4} A_{2^{j}}^{2} - \frac{1}{2} N - \frac{1}{4} N^{2} A_{2^{j}}^{- 2} \\ \equiv \frac{1}{2} (N - A_{2^{j}}^{2}) + \frac{1}{4} (A_{2^{j}}^{2} - \frac{N^{2}}{A_{2^{j}}^{2}}) \\ \equiv \frac{1}{2} (N - A_{2^{j}}^{2}) + \frac{1}{2} \frac{A_{2^{j + 1}}}{A_{2} j} (A_{2^{j}} - \frac{N}{A_{2^{j}}}) \\ \equiv \frac{1}{2} (N - A_{2^{j}}^{2}) (1 - \frac{A_{2^{j}} + 1}{A_{2^{j}}}) (\mod p^{2^{j + 1}}) . \end{matrix}$

Next, note that

$1 - \frac{A_{2^{j + 1}}}{A_{2^{j}}} \equiv \frac{1}{2} (\frac{N - A_{2^{j}}^{2}}{A_{2^{j}}}) .$

Substituting into the above now gives

$N - A_{2^{j + 1}}^{2} \equiv \frac{1}{4} {(N - A_{2^{j}}^{2})}^{2} A_{2^{j}}^{- 1}$

and therefore, by multiplicativity of the norm and since |A₂_j|_p=1,

|N−A₂_j+1²|_p=|N−A₂_j²|_p′²

as required. □

The Algorithm

The proof above contains the following algorithm, optimized to compute all of the required inverses together with the iterations.

Inputs: An odd prime p, integer N, integer A₁such that A₁²≡N (mod p), and a non -negative integer k.

Output: An integer A₂_ksuch that A₂_k²≡N (mod p²^k).

1. If k=0 then output A₁and exit. Else continue.

2. Let (s, t, 1) be the result of applying the Euclidean algorithm with inputs 2 and p, so that 2s+pt=1. Let s←mod p.

3. Let A←A₁, q←p.

4. Let (u, v, 1) be the result of applying the Euclidean algorithm with inputs A₁and p, so that A₁u+pv=1. Let u←u mod p.

5. For j=1 to k repeat:

- q←q*q
- s←2*(1−s)*s (mod q)
- u←(2−u*A)*u (mod q)
- u←(2−u*A)*u (mod q)
- A←s*(A+N*u) (mod q)

6. Return A.

(Note the repeated step in the inner loop.)

Python source code

#Return the A such that A{circumflex over ( )}2 == N (mod p{circumflex over ( )}(2{circumflex over ( )}k) ) and A==A1 (mod p)

#Uses the algorithm euclid(a,b) from earlier

def
modSqrt(N, A1, p, k) :

if k==0:

return(A1 % p)

q=p

(s, _, _) = euclid(2, p)

s = s % p

(u, _, _) = euclid (A1, p)

u =u % p

A= A1 % p

for j in range(0, k) :

q *= q

s= (2*s* (1−s) ) % q

u= (u* (2−u*A) ) % q

u= (u* (2−u*A) ) % q

A= (s* (A+N*u) ) % q

return (A)

Infinite Digit Expansions:

Naturally an infinite digit expansion cannot be fully represented on a computer, so consider such digit expansions as a computation that can be continued indefinitely:

- An infinite digit expansion is a rule that, for each n=0,1 . . . , given the first n digits (x₀, x₁, . . . , x_n−1), gives the next digit x_n.

In representing an infinite digit expansion in computer memory, it is necessary to truncate it to some machine-sized limit. If such a cutoff is employed, it shall be chosen large enough not to interfere with any relevant features of the problem.

Carry Arithmetic

A digit expansion shall be a sequence of integers (x₀, x₁, . . . ) with 0≤x₁<p, i=0,1, . . . Sequences can be subjected to the usual rules of addition-with-carry, multiplication-with -carry, subtraction-with-borrow, without regard for their size. Note that it is necessary to introduce some non-terminating sequences. For example, with p=5, the difference (3+5+5²)−(1+2·5+5²) can be found. After subtracting one from three without difficulty in the ones' place, it is now required to subtract two from one in the p's place, so a borrow of one. That leaves a deficit of one in the p²place, so it is then necessary to borrow one from the next place, and so forth. Note that borrowing converts a 0 into p−1 (=4) plus a borrow from the next digit. Taken out to several digits, that is:

$\begin{matrix} 3 & 1 & 1 & 0 & 0 & 0 \\ - & 1 & 2 & 1 & 0 & 0 & 0 \\ - & - & - & - & - & - & - \\ 2 & 4 & 4 & 4 & 4 & 4 \end{matrix}$

But clearly this process of borrowing from 0 can be continued indefinitely, and the outcome of this computation is the non-terminating sequence (2,4,4,4,4, . . . ). It is also instructive to reverse the process, adding (1,2,1) to (2,4,4,4, . . . ):

$\begin{matrix} 2 & 4 & 4 & 4 & 4 & 4 \\ + & 1 & 2 & 1 & 0 & 0 & 0 \\ - & - & - & - & - & - & - \\ 3 & 1 & 1 & 0 & 0 & 0 \end{matrix}$

All of the borrows are now carries: whenever a 1 overflows into a 4, it gives zero with a carry of one to the next 4 in the chain, and so on ad infinitum.

It is convenient to identify the sequence (x₀, x₁, . . . ) with a formal sum of powers of p,

$x = \sum_{n = 0}^{\infty} x_{n} p^{n} .$

Then the arithmetic operations have their usual meanings, with carry, on infinite expressions.

Explicitly, suppose

$\begin{matrix} x = \sum_{n = 0}^{\infty} x_{n} p^{n} \\ y = \sum_{n = 0}^{\infty} y_{n} p^{n} . \end{matrix}$

Then the following rules hold:

Addition

$x + y = \sum_{n = 0}^{\infty} z_{n} p^{n}$

where for n=0,1, . . . ,

z_n=(x_n+y_n+c_n) mod p,
c_n+1=└(x_n+y_n+c_n)/p┘

and c₀=0.

Subtraction

$x - y = \sum_{n = 0}^{\infty} z_{n} p^{n}$

where for n=0,1, . . . ,

z_n=(x_n−y_n+c_n) mod p,
c_n+1=└(x_n−y_n+c_n)/p┘

and c₀=0.

Multiplication

$x \cdot y = \sum_{n = 0}^{\infty} z_{n} p^{n}$

where for n=0,1, . . . ,

$z_{n} = (c_{n} + \sum_{k = 0}^{n} x_{k} y_{n - k}) \mod p$

$c_{n + 1} = ⌊ p^{- 1} (c_{n} + \sum_{k = 0}^{n} x_{k} y_{n - k}) ⌋$

and c₀=0.

Theorem 9 can be reformulated using infinite digit expansions:

Theorem 10. Let p be an odd prime and N a positive integer not divisible by p. Suppose that 0≤a₀<p satisfies a₀²≡N (mod p). Then there exists a unique digit expansion A=(a₀, a₁, . . . ) such that A²=N.

Every quadratic residue has a square root.

Clearly not every quadratic residue is a perfect square. For example, the integer 6 is a quadratic residue modulo 5, but is plainly not a perfect square.

However, because of Theorem 10, any integer N that is a quadratic residue modulo p is a “perfect square” in the sense that there exists a digit expansion A such that N=A². Clearly such a digit expansion A must be infinite, unless N is a perfect square in the usual sense, as the example N=6, p=5 shows.

Because of Theorem 10, it is possible to solve the equation N=r·s, with the constraint that r and s have the same digits as one another (i.e., s=r). So although N has a “factorization” N=r·s where r and s are the same digit sequence, this common digit sequence does not terminate (unless N is a perfect square, which it is not in these applications). The algorithm described in conjunction with Theorem 9 supplies a rule for producing as many digits of the expansion A as desired.

In the example of 6 modulo 5, if A denotes the infinite digit expansion

A=1+3·5+0·5²+4·5³+2·5⁴+1·5⁵+2·5⁶+3·5⁷+1·5⁸+3·5⁹+ . . .

then

A²1+1·5+0·5²+0·5³+0·5⁴+0·5⁵+0·5⁶+0·5⁷+0·5⁸+0.·5⁹+ . . .

i.e., one has

A²=6

even though obviously no integer has this property.

Congruences

Definition 7. Let A, B, M be integers. The notation

A≡B (mod M)

means that there exists an integer k such that

A=B+kM.

Here are properties of integer congruences:

Proposition 3

- (a) A≡A (mod M).
- (b) For any integer l, lM≡0 (mod M).
- (c) If A≡B (mod M) then B≡A (mod M).
- (d) If l is a non-zero integer and A≡B (mod l)M, then A≡B (mod M).
- (e) If A≡B (mod M) and C≡D (mod M), then A+C≡B+D (mod M) and AC≡BD (mod M).
- (f) If A≡B (mod M) and f(x) is a polynomial with integer coefficients, then f(A)≡f(B) (mod M).

Proof

- (a) Consider Definition 7 with k=0. Then A=A+kM. That is, A≡A (mod M).
- (b) Taking k=1, M=0+1M, so M≡0 (mod M).
- (c) If A=B+kM, then B=A−kM=A+(−k)M. That is, B≡A (mod M).
- (d) If A≡B (mod M), then A=B+klM=B+(kl)M, so A≡B (mod M) (with kl playing the role of k in Definition 7).
- (e) Suppose that A=B+kM and C=D+lM. Then A+C=B+D+(k+l)M and AC=BD+(Bl+Dk)M show, respectively, that A+C≡B+D and AC≡BD (mod M).
- (f) This is true when f(x)=x^k, by the previous part. It is true for f(x)=ax^k, by (a) and the previous part. Then it is true if f(x) is an arbitrary integral linear combination of power functions, again by the previous part.
  
  □

Proposition 4. Let M be a positive integer. Then, for each integer A, there exists a unique integer r with 0≤r<M, such that A≡r (mod M).

Proof Recall that Euclidean division guarantees that there exist unique integers q and r, the quotient and remainder upon division of A by M , such that A=qM+r where the remainder satisfies 0>r<M. □

Theorem 11. If A and M are coprime integers, then, for any integer B, there exists an integer x such that Ax≡B (mod M). Moreover, there is a unique x in the interval 0≤x<M, and any two solutions differ by a multiple of M.

The uniqueness is of special importance here because of the fact that it is usually simpler to check whether an integer x satisfies Ax≡B (mod M) than it is to construct a solution. In cases where such solutions are desired, it is sufficient to check explicitly that the solution is correct: the details of the applications of the Euclidean division required to produce the solution in the first place can be omitted.

Proof The following lemma holds: the greatest common divisor of A and M is the least positive integer of the form sA+tM for integers s, t. To prove the lemma, let d=sA+tM be the least such positive integer. Since any common divisor of A and M divides d, it follows that gcd(A, M)|d. To show the opposite, that d divides A and M, and it is sufficient by symmetry to show that it divides A. Recall that if q and r are the quotient and remainder of division of A by d, then

A=qd+r

where 0≤r<d. To show that r=0, were it not the case, then note that r=A−qd=A−q(sA+tM)=(1−qs)A+(−qt)M is a positive integer of the form s′A+t′M that is less than d. But d was supposed to be the least such positive integer, so this contradicts the choice of d. Thus it has been shown that d|A. Since also then d|M by symmetry, it now follows that d|gcd(A, M) and now it is proven these positive integers divide one another and thus they are equal.

Returning to the proof of the theorem, since A, M are coprime, there are integers s and t such that As+Mt=1. Multiplying by B this is A(Bs)+M(Bt)=B so that A(Bs)≡B (mod M). Thus x=Bs is the required solution.

For uniqueness, suppose two solutions x, x′ are given, with 0≤x, x′<M, then A(x−x′)≡0 (mod M). Since A has no divisors in common with M, this implies that |x−x′| is divisible by M and the only integer in the interval 0≤|x−x′|<M with this property is |x−x′|=0, so x=x′. This completes the proof. □

Systems of Congruences

The systems of congruence employed here have the following form where p is a prime and the exponents k_iare positive integers:

$\begin{matrix} {\begin{matrix} A_{1} & \equiv B_{1} & (\mod p^{k_{1}}) \\ A_{2} & \equiv B_{2} & (\mod p^{k_{2}}) \\ ⋮ & ⋮ \\ A_{m} & \equiv B_{m} & (\mod p^{k_{m}}) \end{matrix} . & (98) \end{matrix}$

The following corollary to Proposition 3 holds:

Proposition 5. Suppose that the pairs of integers (A_i, B_i) satisfy the system (98) and k_i′ are any positive integers such that k_i′≤k_ifor 1≤i≤m. Then for any integer pairs (A_i′, B_i′) such that

A_i′≡A_i(mod p^k^i′)
B_i′≡B_i(mod p^k^i′)

for 1≤i≤m, the system of congruences (99) also holds:

$\begin{matrix} {\begin{matrix} A_{1}^{'} & \equiv B_{1}^{'} & (\mod {p^{k_{1}}}^{'}) \\ A_{2}^{'} & \equiv B_{2}^{'} & (\mod {p^{k_{2}}}^{'}) \\ ⋮ & ⋮ \\ A_{m}^{'} & \equiv B_{m}^{'} & (\mod {p^{k_{m}}}^{'}) \end{matrix} . & (99) \end{matrix}$

This proposition facilitates checking certain systems of congruences by hand.

Lifting Solutions of Systems of Congruences

When a system of congruences (99) is obtained from (98) as in Proposition 5, the system of congruences (99) arises from (98) by truncation. Proposition 5 implies that every solution to a system of congruence is also a solution to its truncation.

The converse is not true. However, the following principle does hold: every solution to a truncated system of non-degenerate polynomial congruences can be prolonged to a solution of the original system.

In more detail,

Theorem 12. Let F₁(X₁, . . . , X_n), . . . , F_n(X₁, . . . , X_n) be integer polynomials in the indeterminates X₁, . . . , X_n. For any solution any positive integers k₁, . . . , k₁, and for every solution (X₁*, X₂*, . . . , X_n*) modulo p to the system of congruences

$\begin{matrix} F_{1}^{*} (X_{1}^{*}, \dots, X_{n}^{*}) & \equiv 0 & (\mod p) \\ F_{2} (X_{1}^{*}, \dots, X_{n}^{*}) & \equiv 0 & (\mod p) \\ ⋮ & ⋮ \\ F_{M} (X_{1}^{*}, \dots, X_{n}^{*}) & \equiv 0 & (\mod p) \end{matrix}$

such that the determinant of the matrix of partial derivatives (∂F_i/∂X_j)(X₁*, . . . , X_n*) is not divisible by p. Then there exists a unique solution (X₁′, . . . , X_n′) of

$\begin{matrix} F_{1} (X_{1}^{'}, \dots, X_{n}^{'}) & \equiv 0 & (\mod p^{k_{1}}) \\ F_{2} (X_{1}^{'}, \dots, X_{n}^{'}) & \equiv 0 & (\mod p^{k_{2}}) \\ ⋮ & ⋮ \\ F_{M} (X_{1}^{'}, \dots, X_{n}^{'}) & \equiv 0 & (\mod p^{k_{m}}) \end{matrix}$

such that (X₁′, . . . , X_n′) modulo p is congruent to (X₁*, . . . , X_n*).

Proof Let X=(X₁, . . . , X_n) and DF(X) be the matrix of partial derivatives of F. If Σ is any n -dimensional vector of integers, then

F(X*+pΣ)=F(X*)+pDF(X*)·Σ (mod p²). (100)

Since F(X*)≡0 (mod p), all components of the vector F(X*) are divisible by p, and so the following definition is allowed:

Σ=−DF(X*)⁻¹(F(X*)/p)

where the inverse matrix DF(X*)⁻¹is computed modulo p (by hypothesis, it is invertible).

Then (100) implies that F(X*+pΣ)≡0 (mod p²). Now iterate this construction with p²instead of p, and so on. The iteration is none other than Newton's method:

X_n+1=X_n−DF(X_n)⁻¹F(X_n)

and the same argument shows by induction that F(x_n+1)≡0 (mod p²ⁿ⁺¹).

For uniqueness, it is sufficient to exhibit a metric space for which the iteration Φ(X)=X−DF(X)⁻¹F(X) is strictly contractive. To this end, let custom character _pdenote the p-adic integers and extend Φ by density onto _pⁿ, where _pⁿis given the finite-dimensional l^∞ metric. Then:

- Φ(x) is contractive on the closed subset F(X)≡0 (mod p).

To prove it, suppose F(X),F(Y)≡0 (mod p). Denote by A the linear form such that DF(Y)⁻¹=DF(X)⁻¹+A(Y−X)+o(|Y−X|_∞). Note that A is an integral form (i.e., has entries in custom character _p), because of the hypothesis on the determinant of DF(X). Then

$\begin{matrix} ϕ (Y) - ϕ (X) = (Y - X) + ({DF (X)}^{- 1} F (X) - {DF (Y)}^{- 1} F (Y)) + o (❘ Y - X ❘) \\ = (Y - X) + ({DF (X)}^{- 1} F (X) - {DF (X)}^{- 1} + \\ A (Y - X)) (F (X) + DF (X) (Y - X))) + o (❘ Y - X ❘) \\ = A (Y - X) F (X) + o (❘ Y - X ❘) . \end{matrix}$

Since F(X)≡0 (mod p), it then follows that |Φ(Y)−Φ(X)|≤p⁻¹|Y−X|. Thus Φ is a strict contraction on a closed subset of a complete metric space, and therefore has a unique fixed point. □

Note that the proof of the theorem also contains an effective method for constructing the lifted solution (Newton's method).

Triangular Systems

A system of polynomials F₁(X₁), F₂(X₁, X₂), . . . , F_n(X₁, . . . , X_n), where the k-th polynomial of the system depends only on the first k variables, is called lower triangular. It is easier to formulate uniqueness for lower-triangular systems, and these are the only kinds of systems that shall be considered henceforth.

Theorem 13. Suppose that F₁(X₁), F₂(X₁, X₂), . . . , F_n(X₁, X₂, . . . , X_n) is a lower-triangular system such that the diagonal partial derivatives ∞F₁, ∞X₁, ∞F₂/∞X₂, . . . , ∞F_n/∞X_nare non-zero constants modulo p. Then for any positive integers k_i, there exists a unique solution to the system

$\begin{matrix} F_{1} (X_{1}) & \equiv 0 & (\mod p^{k_{1}}) \\ F_{1} (X_{1}, X_{2}) & \equiv 0 & (\mod p^{k_{2}}) \\ ⋮ & ⋮ \\ F_{n} (X_{1}, X_{2}, \dots, X_{n}) & \equiv 0 & (\mod p^{k_{n}}) \end{matrix}$

such that 0≤X_i<p^kⁱfor i=1, . . . n. Moreover, any two solutions X_iand X_i′ are congruent modulo p^kⁱ.

Proof. The proof is by induction on the number of equations. The condition on ∞F₁/ ∞X₁implies that F₁has the following form

F₁(X₁)=a₁X₁+b₁+pR₁(X₁)

where R₁(X₁) is an integral polynomial. By hypothesis, a₁is not zero modulo p, and so a₁X₁+b₁≡0 (mod p) has a unique solution modulo p. Theorem 12 implies the uniqueness of the lift.

Assuming the theorem has been established for a lower triangular system F₁(X₁), . . . , F_n(X₁, . . . , X_n) it is now sufficient to show how to prove it when there is one more relation F_n+1(X₁, . . . , X_n+1). As in the n=1 case, the hypothesis implies

F_n+1(X₁, . . . , X_n+1)=a_n+1X_n+1+b_n+1+pR_n+1(X₁, . . . , X_n+1))

where a_n+1is a nonzero constant and b_n+1is a polynomial in (X₁, . . . , X_n), which have already been determined and so can be eliminated. Because a_n+1X_n+1+b_n+1≡0 (mod p) has a unique solution for X_n+1, it therefore follows, again by Theorem 12, that the equation a_n+1X_n+1+b_n+1+pR_n+1≡0 (mod p^kⁿ⁺¹) also has a unique solution. □

Polynomial Factorization

Suppose that f(x) is a polynomial of degree d≥1 modulo p^Mwhere p is prime and M≥1. Factorization of f has two phases. The second phase is known as Hensel lifting: given any factorization of f(x) modulo p, say f(x)≡f₁(x)f₂(x) . . . f_r(x) (mod p), there exists a unique factorization of f(x) modulo p^M, f(x)≡f₁(x)f₂(x) . . . f_r(x) (mod p^M) such that f_i(x)≡f_i(x) (mod p) for each i. Moreover, there exists a O ^˜(dM) algorithm for determining the factors f_i. Therefore, the problem of factoring modulo a prime power reduces to the problem of factoring modulo a prime.

Factorization Modulo a Prime

Factorization modulo an odd prime p is achieved with the following algorithm.

Input

A monic polynomial f(x) of degree d≥1, modulo an odd prime p.

Output

A set of pairs {(f_i(x), e_i)} of monic polynomials f_i(x) that are irreducible mod p, and multiplicities e_i, for 1≥i≥r, such that f(x)≡f₁(x)^e¹f₂^e². . . f_r(x)^e^r.

- 1. Initialize: Let h←x, ϕ←f, i←0, U←{ }.
- 2. Let i←i+1
- 3. By repeated squaring mod f, compute
  
  h←h^pmod f.

Then set

g←gcd(h−x, ϕ)

4. If g≠1, then call the equal-degree factorization subroutine, with input g and i, and keep the list of irreducible factors g₁, . . . , g_sof g.

- 5. For j=1 to s do:
  - Let e←0

$While g_{j} ❘ ϕ do ϕ \leftarrow \frac{ϕ}{g_{j}} and e \leftarrow e + 1.$

- - U←U∪{(g_j, e)}
- 6. If ϕ≠1, then go to 2. Else return U.

Equal-Degree Factorization Subroutine

The following subroutine is used in the main algorithm.

Input

A square-free monic polynomial f modulo p of degree n>0, and a divisor d<n of n, such that all irreducible factors of f have degree d.

Output

The monic irreducible factors f mod p.

- 1. If n=d, return {f}.
- 2. Choose a polynomial a mod p with 1<degα<n.
- 3. Let g₁←gcd(a, f). If g₁≠1, then call the algorithm recursively with g₁and f/g₁, and return the union of the outputs of the two function calls. Else, go to 4.
- 4. Compute b←a^(p^d^−1)/2mod f, by using repeated squaring modulo f, p.
- 5. Let g₂←gcd(b−1, f). If g₂≠1 and g₂≠f, then call the algorithm recursively with g₂and f/g₂, and return the union of the outputs of the two function calls. Else go to 2.

Lifting to Higher Powers of p

Recall Hensel's lemma:

Theorem 14. Let p be a prime and f(x) be an integer polynomial admitting a factorization f(x)≡a(x)b(x) (mod p). Then, for any M≥1, there exist unique (p,M)-standard polynomials ã(x), {tilde over (b)}(x) with ã(x)≡a(x) (mod p) and b(x)≡b(x) (mod p) such that f(x)≡ã(x){tilde over (b)}(x) (mod p^k).

The polynomials ã(x) and {tilde over (b)}(x) are called the lifts of the factors a(x) and b(x).

A corollary in the present application is:

- Every persistent solution to
  
  r(x)s(x)≡v(x) (mod p)
  
  where r(x)=A(x)+U(x)−V(x), s(x)=A(x)−U(x)−V(x), lifts to a unique solution to
  
  r(x)s(x)≡v(x) (SP _p_k)
  
  where U(x) and V(x) are standard polynomials.

One Step of the Lift

For a factorization f=gh into a pair of factors, the lift is constructed using the following recursive procedure.

Inputs: A p-adic polynomial f and p-adic polynomials g_k, h_k, s_k, t_ksuch that

f≡g_kh_k(mod p²^k)
s_kg_k+t_kh_k≡1 (mod p²^k).

Outputs: p-adic polynomials g_k+1, h_k+1, s_k+1, t_k+1such that

f≡g_kh_k(mod p²^k+1)
s_kg_k+t_kh_k≡1 (mod p²^k+1).

- Let e←f−g_kh_k, and then s_ke←qh_k+r using the division algorithm for polynomials.
- Let h_k+1←h_k+r and g_k+1←g_k+t_ke_k+qg_k.
- Let b←s_kg_k+1+t_kh_k+1−1 and then s_kb←ch_k+1+d using the division algorithm for polynomials.
- Let s_k+1←s_k−d and t_k+1←t_k−t_kb−cg_k+1.

Multifactor Lifting

To lift several factors, one employs a divide and conquer approach. Given a (pairwise coprime) factorization of f=g₁g₂. . . g_r:

- If r is 1, there is nothing to do. Otherwise, divide the g_iinto two sets, and let (say) g be the product of the polynomials g_iin the first set and h the product of the polyniomials h_iin the second. For the factorizations g=Π_ig_iand h=Π_ih_i, recursively call the (multifactor) algorithm. Then, for f=gh call the algorithm of (12.4.4).

Polynomials Modulo a Prime
Polynomial Inversion

Let p be an odd prime and consider polynomials v(x)=α₀+α₁x+ . . . +α_nxⁿwhere the coefficients are integers 0≤α_i<p for each i. The usual rules for polynomial arithmetic are observed, but the coefficients are reduced modulo p. The rules for arithmetic are then extended to power series modulo p. Operating on sequences, the rules are the same as those of digit sequences except that the carry is discarded. Thus the arithmetic of power series modulo p is arithmetic without carry.

Theorem 15. Let f(x) be a polynomial modulo p and suppose that p does not divide f(0). Then there exists a unique power series g(x) such that f(x)g(x)≡1 (mod p).

Proof. For uniqueness, if there were two solutions g and g′, then f(x)(g(x)−g′(x))≡0 (mod p) implies that g(x)−g′(x)≡0 (mod p) and so the polynomials g(x) and g′(x) are the same modulo p.

For existence, it will suffice to give an efficient algorithm for constructing the inverse. Since p does not divide f(0), the Euclidean algorithm gives a coefficient g₀modulo p such that

f(0)g₀≡1 (mod p).

Then, for k=0,1, . . . , define

g_k+1=(2−g_kf)g_kmod p²^k+1.

Let |·| denote the x-adic norm on the power series:

|g(x)|=inf{2^−k|x^k|g(x)}.

Note that

|1−g₀f|≤2⁻¹ (101)

because x divides 1−g₀f. It is now shown that also

|1−g_k+1f|≤|1−g_kf|². (102)

From (101) and (102) it follows by induction that

|1−g_kf|≤2⁻²^k

for all j; that is:

g_kf≡1 (mod x²^k).

Also, if k<k′, |g_k−g_k′|<2⁻²^k, and it follows that g_kand g_k′, agree for the first 2^kterms. Thus the series whose first 2^kterms agree with g_kis well-defined.

It remains to show that (102) holds. Consider

$\begin{matrix} 1 - g_{k + 1} f = 1 - 2 (2 - g_{k} f) g_{k} f \\ = (1 - g_{k} f) - (1 - g_{k} f) g_{k} f \\ = {(1 - g_{k} f)}^{2} . \end{matrix}$

So (102) now follows by multiplicativity of the norm.□

Square Root

Theorem 16. Suppose that v(x) is a polynomial modulo p such that v(0) is a quadratic residue modulo p, say α²≡v(0) (mod p). Then there exists a unique power series A(x) mod p such that A(x)²≡v(x) (mod p) and A(0)≡α (mod p).

Proof. For uniqueness, if A, B are two solutions, then

A²−B²=(A−B)(A+B)≡0 (mod p).

Thus p divides either A−B or A+B, meaning that A≡±B (mod p). Hence, only one of A, B can satisfy A≡α (mod p). Therefore the solution is unique.

This leaves only the matter of existence. Define a sequence A₀, A₁, . . . by A₀=α, and

A_k+1=2⁻¹(A_k+vA_k⁻¹) mod x²^k+1 (103)

where the inverses are computed modulo x²^k+1using the algorithm of inversion modulo p.

Note that |v−A₀²|≤2⁻¹. It shall be shown that

|v−A_k+1²|=|v−A_k|²

so that, by induction,

|v−A_k²|_p=2⁻²^k,

i.e.,

A_k²≡v (mod x²^k).

as desired.

To prove it, denote by 1/A_kthe inverse of A_kmodulo x²^k+1. Then:

$\begin{matrix} v - A_{k + 1}^{2} \equiv v - \frac{1}{4} A_{k}^{2} - \frac{1}{2} v - \frac{1}{4} v^{2} A_{k}^{- 2} \\ \equiv \frac{1}{2} (v - A_{k}^{2}) + \frac{1}{4} (A_{k}^{2} - \frac{v^{2}}{A_{k}^{2}}) \\ \equiv \frac{1}{2} (v - A_{k}^{2}) + \frac{1}{2} \frac{A_{k + 1}}{A_{k}} (A_{k} - \frac{v}{A_{k}}) \\ \equiv \frac{1}{2} (v - A_{k}^{2}) (1 - \frac{A_{k + 1}}{A_{k}}) (\mod x^{2^{k + 1}}) . \end{matrix}$

Next, note that

$1 - \frac{A_{k + 1}}{A_{k}} \equiv \frac{1}{2} (\frac{v - A_{k}^{2}}{A_{k}}) .$

Substituting into the above now gives

$v - A_{k + 1}^{2} \equiv \frac{1}{4} {(v - A_{k}^{2})}^{2} A_{k}^{- 1}$

and therefore, by multiplicativity of the norm and since |A_k|=1,

|v−A_k+1²|=|v−A_k²|²,

as required. □

References, All of Which are Incorporated by Reference Herein

- 1. Coraluppi, Giorgio, Method and apparatus for factoring large integers, U.S. Pat. No. 10,298,393, 21 May 2019.
- 2. von zur Gathen, Joachim and Gerhard, Jürgen, Modern computer algebra, Cambridge University Press, 2013.
- 3. C. F. Gauss, Disquisitiones Arithmeticae, New York, NY: Springer-Verlag, 1986.
- 4. R. L. Rivest, A. Shamir, L. Adleman, A Method for Obtaining Digital Signatures and Public-Key Cryptosystems, Communications of the ACM, 21, 120-125, 1978.

Preferred Embodiment

- An integer N₀to be factored is given. A prime p and vector of positive integers k=[k₀, k₁, . . . , k_M−1] are selected. See FIG. 2.
- A polynomial v(x)=v₀+v₁x+ . . . +v_n−1xⁿ⁻¹is determined such that v(p)=N is a predetermined multiple of N₀.
- A p^k-standard polynomial A(x) is determined such that A(x)²≡v(x) (SP_p_k).
- A polynomial f(x)=f₀+f₁x+f₂x²+ . . . +f_M−1x^M−1is called p^k-standard if
  
  0≤f_i<p^kⁱ
  
  for i=0,1, . . . , M−1.
- The “p^k-standard part” of a polynomial f(x) is computed by reducing the coefficient of xⁱby p^kⁱ, using the division algorithm.
- The standard polynomial A(x) is determined by starting with the constant polynomial A₀(x)=ω₀where ω₀is an integer such that ω₀²≡N₀(mod p), and then performing the iteration
  
  A_j+1(x)=2⁻¹(A_j(x)+v(x)A_j(x)⁻¹) (SP_p_k).
- The roster of pairs (U(x), V(x)) is determined such that there is a persistent standard polynomial factorization:
  
  (A(x)−U(x)−V(x))(A(x)+U(x)−V(x))≡v(x) (SP_p_k)
- A standard polynomial factorization v(x)≡r(x)s(x) is called persistent if r(x) and s(x) have the same degree as their reductions modulo p.
- The persistent factorizations are determined by first factoring v(x) modulo p, and then lifting to a standard polynomial factorization.
- The factorization of v(x) is achieved by first splitting factors by iterating, with repeated squaring, x→x^p(mod v), using the division algorithm to compute the remainder on division by v, then computing the greatest common divisor using the Euclidean algorithm with x^q−x and v(x). Then, with each of the factors so split, further splitting into factors of equal degree.
  - The Euclidean algorithm for inputs f and g is a procedure for determining their greatest common divisor. Exchange f and g if necessary so that degf≥degg. If g is the zero polynomial, return f. If f or g has degree 0, then the output is 1. Otherwise use the division algorithm to compute the remainder r of f on division by g, which will have degree less than that of g, and recursively call the Euclidean algorithm with inputs g, r.
  - Factors of a polynomial f of degree n that splits as a product of distinct polynomials all known to have the same degree d proceeds by starting with a random non-constant polynomial a of degree less than f, computing α^(p^d⁻¹⁾(mod f) using the division algorithm and repeated squaring, using the Euclidean algorithm to test if α^p^d⁻¹−1 shares a factor with f. If so, then f splits and the algorithm is called recursively on the parts. If not, then a new (random) polynomial a is selected.
- The lift is computed as follows. If v(x) factors modulo p as a product g₀(x)h₀(x), where g₀, h₀share no common factor, then the extended Euclidean algorithm is employed to find polynomials s₀(x), t₀(x) modulo p such that s₀(x)g(x)+t₀(x)h(x)=1. For each integer j starting from 0 and increasing until the desired lift is obtained (for a p^k-standard factorization), a polynomial is computed e=f−g_jh_j, then polynomials q, r are computed using the division algorithm so that s_je=qh_j+r. Let h_j+1=h_j+r and g_j+1=g_j+t_je_j+qg_j. Then let b=s_jg_j+1+t_jh_j+1and use the division algorithm to find c, d where s_jb=ch_j+1+d. Then let s_j+1=s_j−d and t_j+1=t_j−t_jb−cg_j+1.
- The extended Euclidean algorithm takes inputs a, b and produces (s, t, α) where sa+tb=a and a is the greatest common divisor of a, b. (1) Let α=α, β=b, S=1, T=0, s=0, t=1. (2) If β=0, then output (s, t, α). Use the division algorithm to find q, r such that degr<deβ and α=qβ+r. Let (S, s)=(s−qS, S) and (T, t)=(t−qT, T), α=β, β=r and go back to (2).
- For each persistent standard polynomial factorization
  
  v(x)≡(A(x)−U(x)−V(x))(A(x)+U(x)−V(x)) (SP)
  
  the carry is determined by
  
  (A(p)−U(p)−V(p))(A(p)+U(p)−V(p))−v(p)≡BV(p)+C
  
  which defines constants B and C.
- An integer a is computed using the division and extended Euclidean algorithms such that a=(B²/4+A(p)B) mod N₀. (The extended Euclidean algorithm is necessary to invert 4 modulo N₀.)
- An initial point in a set of quartuples of integers modulo N₀(the projective space) is [X₀, X₁, X₂, X₃]=[1,0,CU(p) mod N₀, 0], and the semigroup law is repeated starting from this point.
- The semigroup law applies, given a pair of elements [X₀: X₁: X₂: X₃] and [Y₀: Y₁: Y₂: Y₃] of the projective space, to produce a third point [Z₀, Z₁, Z₂, Z₃]:
  - It is tested whether [X₀: X₁: X₂: X₃]≡[Y₀: Y₁: Y₂: Y₃] (mod N₀). If so, then the point [Z₀, Z₁, Z₂, Z₃] is

$\begin{matrix} Z_{0} \equiv 16 X_{0}^{4} X_{2}^{4} (\mod N_{0}) \\ Z_{1} \equiv X_{0}^{4} X_{2}^{2} (4 X_{3}^{2} - 1 6 C^{2} U^{2} X_{0}^{2} a - 3 2 C^{2} {U (p)}^{2} X_{0} X_{1}) (\mod N_{0}) \\ Z_{2} \equiv - 2 X_{0} X_{2} (\begin{matrix} 8 X_{0}^{3} X_{1}^{3} a^{3} + 3 6 X_{0}^{2} X_{1}^{4} a^{2} - 8 X_{0}^{3} X_{1} X_{2}^{2} a^{2} + 5 4 X_{0} X_{1}^{5} a - \\ - 3 6 X_{0}^{2} X_{1}^{2} X_{2}^{2} a + 27 X_{1}^{6} - 3 6 X_{0} X_{1}^{3} X_{2}^{2} + 8 X_{0}^{2} X_{2}^{4} \end{matrix}) (\mod N_{0}) \\ Z_{3} \equiv {(4 X_{0}^{2} X_{1}^{2} a^{2} + 1 2 X_{0} X_{1}^{3} a - 4 X_{0}^{2} X_{2}^{2} a + 9 X_{1}^{4} - 8 X_{0} X_{1} X_{2}^{2})}^{2} (\mod N_{0}) \end{matrix}$

- Otherwise, the point [Z₀, Z₁, Z₂, Z₃] is:

$\begin{matrix} Z_{0} \equiv {(X_{1} Y_{0} - X_{0} Y_{1})}^{4} X_{0}^{2} Y_{0}^{2} (\mod N_{0}) \\ Z_{1} \equiv X_{0}^{3} {Y_{0}^{3} (X_{1} Y_{0} - X_{0} Y_{1})}^{2} (2 C^{2} {U (p)}^{2} X_{0} Y_{0} + 2 X_{1} Y_{1} a + X_{3} Y_{1} - 2 X_{2} Y_{2} + X_{1} Y_{3}) (\mod N_{0}) \\ Z_{2} \equiv X_{0}^{3} Y_{0}^{3} (X_{1} Y_{0} - X_{0} Y_{1}) (\begin{matrix} - 4 C^{2} {U (p)}^{2} X_{0} X_{2} Y_{0}^{2} + 4 C^{2} {U (p)}^{2} X_{0}^{2} Y_{0} Y_{2} + \\ + X_{1} X_{3} Y_{0} Y_{2} + 3 X_{0} X_{3} Y_{1} Y_{2} - 3 X_{1} X_{2} Y_{0} Y_{3} - \\ - X_{0} X_{2} Y_{1} Y_{3} - 2 a (\begin{matrix} X_{1} X_{2} Y_{0} Y_{1} - X_{0} X_{3} Y_{0} Y_{2} - \\ - X_{0} X_{1} Y_{1} Y_{2} + X_{0} X_{2} Y_{0} Y_{3} \end{matrix}) \end{matrix}) (\mod N_{0}) \\ Z_{3} \equiv {(\begin{matrix} {(X_{1} Y_{0} - X_{0} Y_{1})}^{2} X_{0} Y_{0} a + X_{1}^{3} Y_{0}^{3} - X_{0} X_{2}^{2} Y_{0}^{3} - X_{0} X_{1}^{2} Y_{0}^{2} Y_{1} - \\ - X_{0}^{2} X_{1} Y_{0} Y_{1}^{2} + X_{0}^{3} Y_{1}^{3} + 2 X_{0}^{2} X_{2} Y_{0}^{2} Y_{2} - X_{0}^{3} Y_{0} Y_{2}^{2} \end{matrix})}^{2} (\mod N_{0}) \end{matrix}$

- The semigroup law is repeated, possibly in batches to minimize the number of arithmetic operations performed. There is a test if the semigroup reaches the boundary of the projective space; when it does so, a factorization of N₀is achieved.
- If a factorization of N₀is not achieved after a preselected amount of time, a different multiple of N₀shall be selected in lieu of N, and the process is repeated until a factor is found.

DESCRIPTION OF THE INVENTION

The present invention pertains to a method for decoding an encrypted electromagnetic signal W encoded by a first computer with public key N₀=r×s, where N₀, r and s are integers. See FIGS. 1-4. The method comprises the steps of obtaining the electromagnetic signal W from a telecommunications network, or a data network or an Internet or a first non-transient memory. There is the step of storing the signal W in a second non-transient memory. There is the step of decoding with a second computer in communication with the second non -transient memory the signal W in the second non-transient memory by factoring the public key N₀in at most a time O(log⁶N₀) with the second computer generated steps of selecting integers a, b. There is the step of electing an initial point in a set of quartuples of integers modulo N₀(a projective space) [X₀, X₁, X₂, X₃]=[1,0,b,0]. There is the step of applying a semigroup law repeatedly starting from the initial point, where the semigroup law is defined as: given a pair of elements [X₀: X₁: X₂: X₃] and [Y₀: Y₁: Y₂: Y₃] of the projective space, there is produced a third point [Z₀, Z₁, Z₂, Z₃]. There is the step of determining that [X₀: X₁: X₂: X₃]≡[Y₀: Y₁: Y₂: Y₃] (mod N₀), and thus the third point is

$\begin{matrix} Z_{0} \equiv 16 X_{0}^{4} X_{2}^{4} (\mod N_{0}) \\ Z_{1} \equiv X_{0}^{4} X_{2}^{2} (4 X_{3}^{2} - 1 6 b^{2} X_{0}^{2} a - 3 2 b^{2} X_{0} X_{1}) (\mod N_{0}) \\ Z_{2} \equiv - 2 X_{0} X_{2} (\begin{matrix} 8 X_{0}^{3} X_{1}^{3} a^{3} + 3 6 X_{0}^{2} X_{1}^{4} a^{2} - 8 X_{0}^{3} X_{1} X_{2}^{2} a^{2} + 5 4 X_{0} X_{1}^{5} a - \\ - 3 6 X_{0}^{2} X_{1}^{2} X_{2}^{2} a + 2 7 X_{1}^{6} - 3 6 X_{0} X_{1}^{3} X_{2}^{2} + 8 X_{0}^{2} X_{2}^{4} \end{matrix}) (\mod N_{0}) \\ Z_{3} \equiv {(4 X_{0}^{2} X_{1}^{2} a^{2} + 1 2 X_{0} X_{1}^{3} a - 4 X_{0}^{2} X_{2}^{2} a + 9 X_{1}^{4} - 8 X_{0} X_{1} X_{2}^{2})}^{2} (\mod N_{0}); \end{matrix}$

otherwise, the point [Z₀, Z₁, Z₂, Z₃] is:

$\begin{matrix} Z_{0} \equiv {(X_{1} Y_{0} - X_{0} Y_{1})}^{4} X_{0}^{2} Y_{0}^{2} (\mod N_{0}) \\ Z_{1} \equiv X_{0}^{3} {Y_{0}^{3} (X_{1} Y_{0} - X_{0} Y_{1})}^{2} (2 b^{2} X_{0} Y_{0} + 2 X_{1} Y_{1} a + X_{3} Y_{1} - 2 X_{2} Y_{2} + X_{1} Y_{3}) (\mod N_{0}) \\ Z_{2} \equiv X_{0}^{3} Y_{0}^{3} (X_{1} Y_{0} - X_{0} Y_{1}) (\begin{matrix} - 4 b^{2} X_{0} X_{2} Y_{0}^{2} + 4 b^{2} X_{0}^{2} Y_{0} Y_{2} + X_{1} X_{3} Y_{0} Y_{2} + \\ + 3 X_{0} X_{3} Y_{1} Y_{2} - 3 X_{1} X_{2} Y_{0} Y_{3} - X_{0} X_{2} Y_{1} Y_{3} - \\ - 2 a (X_{1} X_{2} Y_{0} Y_{1} - X_{0} X_{3} Y_{0} Y_{2} - X_{0} X_{1} Y_{1} Y_{2} + X_{0} X_{2} Y_{0} Y_{3}) \end{matrix}) (\mod N_{0}) \\ Z_{3} \equiv {(\begin{matrix} {(X_{1} Y_{0} - X_{0} Y_{1})}^{2} X_{0} Y_{0} a + X_{1}^{3} Y_{0}^{3} - X_{0} X_{2}^{2} Y_{0}^{3} - X_{0} X_{1}^{2} Y_{0}^{2} Y_{1} - \\ - X_{0}^{2} X_{1} Y_{0} Y_{1}^{2} + X_{0}^{3} Y_{1}^{3} + 2 X_{0}^{2} X_{2} Y_{0}^{2} Y_{2} - X_{0}^{3} Y_{0} Y_{2}^{2} \end{matrix})}^{2} (\mod N_{0}) . \end{matrix}$

There may be the step of displaying on a display the decrypted signal W. The display may be any type of computer display, tablet display, telephone display or paper which allows the decrypted signal W to be read by a person.

There may be the steps of, if a factorization of N₀is not found after a preselected amount of time, re-initializing the semigroup law with different values of a and b; and repeating the electing, applying, determining, testing and Identifying steps until a factor with N₀is found.

There may be the second computer generated steps of selecting a prime p and vector of positive integers k=[k₀, k₁, . . . , k_M−1]. There may be the step of determining a polynomial v(x)=v₀+v₁x+ . . . +v_n−1xⁿ⁻¹such that v(p)=N is a predetermined multiple of N₀. There may be the step of determining a p^k-standard polynomial A(x) such that A(x)²≡v(x) (SP_p_k), where a polynomial f(x)=f₀+f₁x+f₂x²+ . . . +f_M−1x^M−1is called p^k-standard if

0≤f_i<p^kⁱ

for i=0,1, . . . ,M−1, a p^k-standard part of the polynomial f(x) is computed by reducing the coefficient of xⁱmodulo p^kⁱand truncating all terms x^mfor m≥M. There may be the step of determining a roster of pairs (U(x), V(x)) such that there is a persistent standard polynomial factorization:

(A(x)−U(x)−V(x))(A(x)+U(x)−V(x))≡v(x) (SP_p_k)

where a standard polynomial factorization v(x)≡r(x)s(x) is called persistent if r(x) and s(x) have the same degree as their reductions modulo p.

There may be the second computer generated steps of for each item of the roster, a standard polynomial factorization is

v(x)≡(A(x)−U(x)−V(x))(A(x)+U(x)−V(x)) (SP)

determining a carry by

(A(p)−U(p)−V(p))(A(p)+U(p)−V(p))−v(p)≡BV(p)+C

which defines constants B and C for each pair of the roster, for those elements of the roster of (U(x), V(x)) such that both corresponding constants B, C are simultaneously zero, the integers r(p)=A(p)−U(p)−V(p) and s(p)=A(p)+U(p)−V(p) contain divisors of N₀. There may be the step of extracting the divisors to obtain the prime factors of N₀.

$\begin{matrix} Z_{0} \equiv 16 X_{0}^{4} X_{2}^{4} (\mod N_{0}) \\ Z_{1} \equiv X_{0}^{4} X_{2}^{2} (4 X_{3}^{2} - 16 b^{2} X_{0}^{2} a - 3 2 b^{2} X_{0} X_{1}) (\mod N_{0}) \\ Z_{2} \equiv - 2 X_{0} X_{2} (\begin{matrix} 8 X_{0}^{3} X_{1}^{3} a^{3} + 36 X_{0}^{2} X_{1}^{4} a^{2} - 8 X_{0}^{3} X_{1} X_{2}^{2} a^{2} + 54 X_{0} X_{1}^{5} a - \\ - 36 X_{0}^{2} X_{1}^{2} X_{2}^{2} a + 27 X_{1}^{6} - 36 X_{0} X_{1}^{3} X_{2}^{2} + 8 X_{0}^{2} X_{2}^{4} \end{matrix}) (\mod N_{0}) \\ Z_{3} \equiv {(4 X_{0}^{2} X_{1}^{2} a^{2} + 1 2 X_{0} X_{1}^{3} a - 4 X_{0}^{2} X_{2}^{2} a + 9 X_{1}^{4} - 8 X_{0} X_{1} X_{2}^{2})}^{2} (\mod N_{0}); \end{matrix}$

otherwise, the point [Z₀, Z₁, Z₂, Z₃] is:

There is the step of testing if any component of the third point shares a factor with N₀and is a shared factor with N₀. There is the step of identifying the shared factor with N₀as one of plurality of prime factors of N₀, and a quotient of N₀by the shared factor as another prime factor. The cpu decrypting the signal W with the public key N₀and prime factors of integer N₀. The cpu reviewing the decrypted signal W for predetermined words to determine if the decrypted signal W indicates an act has occurred or will occur that violates a law, or will violate a law, wherein the signal W representative of the message is effectively decrypted and deciphered thereby a threat to property or individuals in violation of the law can be quickly acted upon to eliminate the threat before the threat occurs and actual damage to property or injury to individuals is prevented or mitigated. The steps described above for the method are also applicable to the second computer.

$\begin{matrix} Z_{0} \equiv 16 X_{0}^{4} X_{2}^{4} (\mod N_{0}) \\ Z_{1} \equiv X_{0}^{4} X_{2}^{2} (4 X_{3}^{2} - 16 b^{2} X_{0}^{2} a - 3 2 b^{2} X_{0} X_{1}) (\mod N_{0}) \\ Z_{2} \equiv - 2 X_{0} X_{2} (\begin{matrix} 8 X_{0}^{3} X_{1}^{3} a^{3} + 36 X_{0}^{2} X_{1}^{4} a^{2} - 8 X_{0}^{3} X_{1} X_{2}^{2} a^{2} + 54 X_{0} X_{1}^{5} a - \\ - 36 X_{0}^{2} X_{1}^{2} X_{2}^{2} a + 27 X_{1}^{6} - 36 X_{0} X_{1}^{3} X_{2}^{2} + 8 X_{0}^{2} X_{2}^{4} \end{matrix}) (\mod N_{0}) \\ Z_{3} \equiv {(4 X_{0}^{2} X_{1}^{2} a^{2} + 1 2 X_{0} X_{1}^{3} a - 4 X_{0}^{2} X_{2}^{2} a + 9 X_{1}^{4} - 8 X_{0} X_{1} X_{2}^{2})}^{2} (\mod N_{0}); \end{matrix}$

otherwise, the point [Z₀, Z₁, Z₂, Z₃] is:

Alternatively, the present invention pertains to a method for decoding an encrypted electromagnetic signal W encoded by a first computer with public key N₀=r×s, where N₀, r and s are integers. The method comprises the steps of obtaining the electromagnetic signal W from a telecommunications network, or a data network or an Internet or a first non -transient memory. There is the step of storing the signal W in a second non-transient memory. There is the step of decoding with a second computer in communication with the second non-transient memory the signal W in the second non-transient memory by factoring the public key N₀in at most a time O(log⁶N₀) with the second computer generated steps of selecting a prime p and vector of positive integers k=[k₀, k₁, . . . , k_M−1]. There is the step of determining a polynomial v(x)=v₀+v₁x+ . . . +v_n−1xⁿ⁻¹such that v(p)=N is a predetermined multiple of N₀. There is the step of determining a p^k-standard polynomial A(x) such that A(x)²≡v(x) (SP_p_k), where a polynomial f(x)=f₀+f₁x+f₂x²+ . . . +f_M−1x^M−1is called p^k-standard if

0≤f_i<p^kⁱ

for i=0,1, . . . ,M−1, a p^k-standard part of the polynomial f(x) is computed by reducing the coefficient of xⁱmodulo p^kⁱand truncating all terms x^mfor m≥M. There is the step of determining a roster of pairs (U(x), V(x)) such that there is a persistent standard polynomial factorization:

(A(x)−U(x)−V(x))(A(x)+U(x)−V(x))≡v(x) (SP_p_k)

where a standard polynomial factorization v(x)≡r(x)s(x) is called persistent if r(x) and s(x) have the same degree as their reductions modulo p. There is the step of determining a shared factor that integers r(p) and s(p) share with N₀, where the shared factor with N₀as one of plurality of prime factors of N₀. There is the step of obtaining another prime factor by division of N₀by the shared factor. There is the step of identifying the shared factor with N₀as one of plurality of prime factors of N₀, and a quotient of N₀by the shared factor as another prime factor. There is the step of decrypting with the second computer the signal W with the public key N₀and prime factors of the integer N₀. There is the step of reviewing the decrypted signal W for predetermined words with the second computer to determine if the decrypted signal W indicates an act has occurred or will occur that violates a law, or will violate a law, wherein the signal W representative of the message is effectively decrypted and deciphered thereby a threat to property or individuals in violation of the law can be acted upon to mitigate or eliminate the threat before the threat occurs and actual damage to property or injury to individuals is prevented or mitigated.

There may be the second computer generated steps of, for each item of the roster, a standard polynomial factorization is

v(x)≡(A(x)−U(x)−V(x))(A(x)+U(x)−V(x)) (SP)

then determining a carry by

(A(p)−U(p)−V(p))(A(p)+U(p)−V(p))−v(p)=BV(p)+C

which defines constants B and C for each pair of the roster, for those elements of the roster of (U(x), V(x)) such that both corresponding constants B, C are simultaneously zero, the integers r(p)=A(p)−U(p)−V(p) and s(p)=A(p) +U(p)−V(p) contain divisors of N₀. There may be the step of extracting the divisors to obtain the prime factors of N₀.

There may be the second computer generated steps of given the initial pair ξ₁=0, y₁=CU(p) mod N₀, calculating a discriminant Δ from

$\begin{matrix} Δ = x^{3} + (\frac{B^{2}}{4} + A (p) B) x^{2} + {U (p)}^{2} C^{2} & \mod N_{0} . \end{matrix}$

There may be the step of iterating a semigroup law until a factor is found, where the semigroup law is defined as:

If ξ_n≡ξ₁(mod N₀), let δ=ξ₁, σ₁=0, σ_n=1, otherwise, ξ_n. . . ξ₁is a nonzero constant modulo N₀; checking whether ξ_n−ξ₁shares a factor with N₀; if so, then terminating the semigroup iteration and the factor identified is one of the prime factors of N₀, where the other prime factor is found by division of N₀by the first factor; let δ=1, λ=(ξ_n−ξ₁)⁻¹(mod N₀), σ₁=−λ, σ₂=λ; so irrespective of whether ξ_n≡ξ₁(mod N₀), it holds that σ₁ξ₁+σ_nξ_n=δ where δ is a polynomial gcd of ξ₁and ξ_n;

Next, if y_n≡−y₁(mod N₀), then let d=δ, ρ=1, ϵ=0; else, checking if y_n+y₁shares a factor with N₀and if so then terminating the semigroup iteration and the first factor identified as one of the prime factors of N₀, where the other prime factor is found by division of N₀by the first factor; otherwise, let d=1, ρ=0, and λ=(y_n+y₁)⁻¹mod N₀, so that for either sign in y_n≡±y₁(mod N₀), a congruence ρδ+ϵ(y₁+y_n)≡d (mod N₀) now holds, where d is a polynomial gcd of δ and y₁+y_n;

Finally, let ξ_n+1←ξ_nξ₁/d², define y_n+1(mod N₀) such that the congruence holds:

dy_n+1≡ρ(σ₁ξ₁y_n+σ_nξ_ny₁)+ϵδ(mod ξ_n+1)

where the modulo is with respect to polynomial division by ξ_n+1(mod N₀), and, if ξ_n+1is quadratic rather than linear, then let

$ξ_{n + 1} \leftarrow \frac{Δ - y_{n + 1}^{2}}{ξ_{n + 1}} .$

There may then be the step of testing whether the leading coefficient of ξ_n+1and N₀share a factor, and if so, then terminating the semigroup iteration and the first factor is found by division of N₀by the first factor; else, normalize ξ_n+1by dividing (modulo N₀) by the leading coefficient of ξ_n+1and update y_n+1:

y_n+1←−y_n+1mod ξ_n+1.

There may be the step of iterating the semigroup law until a prime factor is found. There may be the step of identifying this prime factor as the first factor of N₀. There may be the step of obtaining the other prime factor by division of N₀by the first prime factor.

The present invention pertains to a second computer for decoding an encrypted electromagnetic signal W encoded by a first computer with public key N₀=r×s, where N₀, r and s are integers and W is a function of r and s. The second computer comprises an input for obtaining the electromagnetic signal W from a telecommunications network, or a data network or an Internet or a first non-transient memory. The second computer comprises a second non-transient memory in communication with the input in which the signal W is stored. The second computer comprises a cpu in communication with the second non -transient memory with the signal W in the second non-transient memory. The cpu decodes the signal W by factoring the public key N₀in time O(log⁶N₀) by the second computer generated steps of selecting a prime p and vector of positive integers k=[k₀, k₁, . . . , k_M−1]. There is the step of determining a polynomial v(x)=v₀+v₁x+ , , , +v_n−1xⁿ⁻¹such that v(p)=N is a predetermined multiple of N₀. There is the step of determining a p^k-standard polynomial A(x) such that A(x)²≡v(x) (SP_p_k), where a polynomial f(x)=f₀+f₁x+f₂x²+ . . . +f_M−1x^M−1called p^k-standard if

0≤f_i<p^kⁱ

for i=0,1, . . . ,M−1, a p^k-standard part of the polynomial f(x) is computed by reducing the coefficient of xⁱmodulo p^kⁱand truncating all terms x^mfor m≥M. There is the step of determining a roster of pairs (U(x), V(x)) such that there is a persistent standard polynomial factorization:

(A(x)−U(x)−V(x))(A(x)+U(x)−V(x))≡v(x) (SP_p_k)

where a standard polynomial factorization v(x)≡r(x)s(x) is called persistent if r(x) and s(x) have the same degree as their reductions modulo p. There is the step of determining a shared factor that integers r(p) and s(p) share with N₀, where the shared factor with N₀as one of plurality of prime factors of N₀. There is the step of obtaining another prime factor by division of N₀by the shared factor. There is the step of identifying the shared factor with N₀as one of plurality of prime factors of N₀, and a quotient of N₀by the shared factor as another prime factor. The cpu decrypting with the second computer the signal W with the public key N₀and prime factors of the integer N₀. The cpu reviewing the decrypted signal W for predetermined words to determine if the decrypted signal W indicates an act has occurred or will occur that violates a law, or will violate a law, wherein the signal W representative of the message is effectively decrypted and deciphered thereby a threat to property or individuals in violation of the law can be acted upon to mitigate or eliminate the threat before the threat occurs and actual damage to property or injury to individuals is prevented or mitigated. The steps described above for the alternative method are also applicable for the second computer.

The present invention pertains to a non-transitory readable storage medium which includes a computer program stored on the storage medium for decoding an encrypted electromagnetic signal W encoded by a first computer with public key N₀=r×s, where N₀, r and s are integers and W is a function of r and s, where the signal W has been stored in a second non-transient memory of a second computer, and the second computer factoring the public key N₀in at most a time O(log⁶N₀). The signal W obtained from a telecommunications network, or a data network or an Internet or a first non-transient memory. The computer program having the second computer generated steps of: selecting a prime p and vector of positive integers k=[k₀, k₁, . . . , k_M−1]. There is the step of determining a polynomial v(x)=v₀+v₁x+ . . . +v_n−1xⁿ⁻¹such that v(p)=N is a predetermined multiple of N₀. There is the step of determining a p^k-standard polynomial A(x) such that A(x)²≡v(x) (SP_p_k), where a polynomial f(x)=f₀+f₁x+f₂x²+ . . . +f_M−1x^M−1is called p^k-standard if

0≤f_i<p^kⁱ

for i=0,1, . . . ,M−1, a p^k-standard part of the polynomial f(x) is computed by reducing the coefficient of xⁱmodulo p^kⁱand truncating all terms x^mfor m≥M. There is the step of determining a roster of pairs (U(x), V(x)) such that there is a persistent standard polynomial factorization:

(A(x)−U(x)−V(x))(A(x)+U(x)−V(x))≡v(x) (SP_p_k)

where a standard polynomial factorization v(x)≡r(x)s(x) is called persistent if r(x) and s(x) have the same degree as their reductions modulo p. There is the step of determining a shared factor that integers r(p) and s(p) share with N₀, where the shared factor with N₀as one of plurality of prime factors of N₀. There is the step of obtaining another prime factor by division of N₀by the shared factor. There is the step of identifying the shared factor with N₀as one of plurality of prime factors of N₀, and a quotient of N₀by the shared factor as another prime factor. There is the step of decrypting with the second computer the signal W with the public key N₀and prime factors of the integer N₀. There is the step of reviewing the decrypted signal W for predetermined words with the second computer to determine if the decrypted signal W indicates an act has occurred or will occur that violates a law, or will violate a law, wherein the signal W representative of the message is effectively decrypted and deciphered thereby a threat to property or individuals in violation of the law can be acted upon to mitigate or eliminate the threat before the threat occurs and actual damage to property or injury to individuals is prevented or mitigated. The steps described above for the alternative method are also applicable for the computer program.

Although the invention has been described in detail in the foregoing embodiments for the purpose of illustration, it is to be understood that such detail is solely for that purpose and that variations can be made therein by those skilled in the art without departing from the spirit and scope of the invention except as it may be described by the following claims.

Number	Name	Date	Kind
20130136257	You	May 2013	A1
20180198613	Anderson	Jul 2018	A1

Factoring large integers

Information

Patent Number

Date Filed

Date Issued

Inventors

Original Assignees

Examiners

Agents

CPC

Field of Search

US

International Classifications

Disclaimer

Term Extension

Abstract

Description

Claims

US Referenced Citations (2)