The present invention is related to solving an equation in two or more unknown integer variables, where each variable is represented by a multiplicity of multiples of powers of an odd prime p. Specifically, the present invention is related to factoring an integer N0 restating the problem into the factorization of an appropriate integer N which is a quadratic residue modulo p, then factoring N in a time of order of p2·logp4N.
The problem of resolving a large integer into the product of its prime factors has stimulated the intellectual curiosity and the imagination of many generations of mathematicians.
In 1801 Gauss wrote: “. . . the dignity of the science itself seems to require that every possible means be explored for the solution of a problem so elegant and so celebrated.” [1,397]
The problem has attracted renewed interest, ever since R. L. Rivest, A. Shamir and L. Adleman proposed an encryption method which is based on the computational difficulty of the factorization problem [2].
This note introduces a method and apparatus which allows the factorization of a large odd integer N in logarithmic time.
The present invention pertains to a method for decoding an encrypted electromagnetic signal W encoded by a first computer with public key N0=r×s, where N0, r and s are integers and W is a function of r and s. The method comprises the steps of storing the signal W in a non-transient memory. There is the step of decoding with a second computer in communication with the memory the signal W in the memory with the second computer generated steps of selecting a prime number p of the form p=4k+1 for an odd integer k such that the public key N0 is a non-quadratic residue modulo p calculating n0 satisfying the inequalities pn
N≡A2(mod pn) (1)
by using the representation
where ωi satisfies the condition
0<ωi<pn−1. (3)
There is the step of decrypting with the second computer the signal W with the public key N0 and the prime factors of integer N0. There is the step of displaying on a display by the second computer the decrypted signal W. There is the step of reviewing the decrypted signal W and its relevance.
The present invention pertains to a second computer for decoding an encrypted electromagnetic signal W encoded by a first computer with public key N0=r×s, where N0, r and s are integers and W is a function of r and s, comprising:
decoding with a CPU in communication with the memory the signal W in the memory that decodes the signal W by the second computer generated steps of selecting a prime number p of the form p=4k+1 for an odd integer k such that the public key N0 is a non-quadratic residue modulo p calculating; n0 satisfying the inequalities pn
N≡A2(mod pn) (4)
by using the representation
where ωi satisfies the condition
0<ωi<pn−1. (6)
the CPU decrypting the signal W with the public key N0 and the prime factors of integer N0; and
a display on which the decrypted signal W is displayed so the decrypted signal W can be reviewed to determine the relevance of the decrypted signal W. The display can be a computer screen or smart phone screen or any screen or piece of paper on which the decrypted signal W is printed or any medium on which the decrypted signal W can be reviewed.
The present invention pertains to a non-transitory readable storage medium which includes a computer program stored on the storage medium for decoding an encrypted electromagnetic signal W encoded by a first computer with public key N0=r×s, where N0, r and s are integers and W is a function of r and s, where the signal W has been stored in a non-transient memory of a second computer, having the second computer generated steps of:
selecting a prime number p of the form p=4k+1 for an odd integer k such that the public key N0 is a non-quadratic residue modulo p; calculating N0 satisfying the inequalities pn
N≡A2(mod pn) (7)
by using the representation
where ωi satisfies the condition
There is the step of decrypting with the second computer the signal W with the public key N0, and the prime factors of integer N0. There is the step of displaying on a display by the second computer the decrypted signal W for predetermined words to determine the relevance of the decrypted signal W.
Given a positive odd integer N0, it is desired to determine a pair of integers r0 and s0 such that
N0=r0·s0. (10)
The problem can also be stated as the search for two integers Y0 and X0 such that
N0=Y02−X02. (11)
The pairs (r0, s0) and (Y0, X0) are related as follows:
Conversely,
If r0>s0>0, both Y0 and X0 are positive. In this case it is useful to consider some limit cases in order to develop an appreciation for the magnitude of the variables.
One of the limit cases occurs when the pair (r0, s0) is a pair of “twin primes”, such as (43, 41). In these cases,
At the other end is the case when r0 approximates N0. At the limit, consider a pair (r0, s0) equaling (N0, 1). Then
Therefore, in all cases
Thus, in all cases, Y02>N0. In some cases, X02 is greater than N0.
Given N0 and an odd prime p, the general solution of (10) has the following form:
where α, β, λ0 and μ0 denote integers and where α·β≡N0 (mod p). If α and β are both even or both odd, A0 and p0 have the same parity. Otherwise, define β′=β+p and μ′0=μ0−1. Thus, without loss of generality, it is possible to define two integers U0 and V0 as follows:
Then
The integers V0 and U0 are usually referred to as the symmetric and antisymmetric to components of the pair (r0, s0), respectively. In general, in the search for (U0, V0), all values of α in the interval 1≤α<p may need to be tested.
The complexity of the problem is reduced in the cases when
In such cases V0≡0 (mod p).
In order to realize this situation, it is possible to restate the problem of factoring N0 into the problem of factoring some integer N which satisfies (20). To this end, select a prime p such that N0 is a non-quadratic residue modulo p. It will be pn
N0≡τ·{tilde over (α)}2 (mod p2). (21)
Let {tilde over (τ)} denote the least positive residue of (21) modulo p2. Then β≡{tilde over (τ)}·{tilde over (α)} (mod p). Since N0 is a non-quadratic residue modulo p, so is {tilde over (τ)}. If {tilde over (τ)} is odd, define the integer N by the following
N={tilde over (τ)}·N0 (22)
where, for some integer n, pn−1<N<pn. Then N is a quadratic residue modulo p and
N≡{tilde over (τ)}2·{tilde over (α)}2 (mod p2). (23)
If p=4·k+1, then {tilde over (τ)}≢±1 (mod p) for all {tilde over (α)} and {tilde over (τ)}2≢1 (mod p).
The integer {tilde over (τ)}2·{tilde over (α)}2 can be partitioned into the product of {tilde over (τ)}·{tilde over (α)} by {tilde over (τ)}·α or −{tilde over (τ)}·{tilde over (α)} by −{tilde over (τ)}·{tilde over (α)}, yielding
where
and where U and V denote integers. Similar relationships hold if r≡s≡−{tilde over (τ)}·{tilde over (α)} (mod p).
Notice that, if U>0, r>s.
In the case of (24), it will be
Also, since {tilde over (τ)} is odd,
The factorization problem requires the identification of a pair (Ũ, {tilde over (V)}) such that, for the corresponding ({tilde over (r)}, {tilde over (s)}), is it
N={tilde over (r)}·{tilde over (s)}. (28)
If, using the given {tilde over (α)}, the algorithm were successful in factoring N, then {tilde over (r)} would be divisible by {tilde over (τ)} and {tilde over (r)}/{tilde over (τ)}=r0.
NOTE 1: There is the possibility that {tilde over (τ)}·{tilde over (α)} be divisible by some integer t1=1+h·p with 0<h<p. In this case, the product {tilde over (τ)}2·{tilde over (α)}2 may be partitioned into the pair
which satisfies the second of (20). This case will not be considered here because the pair (X, Y) would not be represented as in (26).
It should be noted that the proposed restatement of the problem is motivated by the convenience of using search tools such as (24) and (26), which operate on lattices of rectangular cells of sides p and p2.
NOTE 2: In general, all the values of a should be tested. Since N0 is a non-quadratic residue modulo p, it is sufficient to test the values of a which are non-quadratic residues modulo p.
NOTE 3: In order to avoid singular cases, it is convenient to select p in such a way that, for all non-quadratic residues modulo p, it is
α2≢1(mod p2). (29)
Such is the case when 2 is a primitive root modulo p.
The prime p was selected of the form 4·k+1. Also, it has been shown that the integer 2 is a primitive of the primes of the form 8·h±3 [3, p.79]. Therefore, 2 is a primitive of the primes defined by
8·h±3=4·k+1 (30)
or
p=4·ODD+1. (31)
NOTE 4: In general, in (24) the product {tilde over (τ)}·{tilde over (α)} can be replaced by any integer A such that A≡{tilde over (τ)}·{tilde over (α)} (mod p2) and N={tilde over (τ)}·N0≡A2 (mod p2). In particular, such is the case when
N≡{tilde over (τ)}2·{tilde over (α)}2(mod p2)
≡Ã2(mod p2). (32)
Consider the expression of Y when à is used in lieu of {tilde over (τ)}·{tilde over (α)}:
Y={tilde over (τ)}·{tilde over (α)}+V·p2
=Ã+V1·p2 (33)
for some integer V1.
Recall that, by (16),
√{square root over (N)}<Y<N. (34)
There are two significant particular cases: If Ã<√{square root over (N)}, then V1>0. Also, if Ã>N, then V1<0. Throughout this presentation, Ã will be greater than N. For simplicity of notation, the integer V will be constrained to be positive. Then (24) takes the following form:
NOTE 5: A particular definition of N can be produced when τ is computed modulo pn
N0≡T0·α2(mod pn
Let {tilde over (T)}0 denote the least positive residue of T0 modulo pn
{tilde over (T)}0≡N0·α−2 (mod pn
≡{tilde over (τ)}(mod p2). (37)
If {tilde over (T)}0 is odd let
In this case, the magnitude of NT
NOTE 6: Consider the case where, after the selection of p and {tilde over (α)}, the integer U is selected or computed to be U≡ũ1, 1(mod p). In this case it would be possible to define an integer {tilde over (τ)}2 as the least positive solution of the following:
N0≡τ2·({tilde over (α)}+ũ1, 1·p)2(mod p4). (39)
Then N could be defined as follows:
N={tilde over (τ)}2·N0
=({tilde over (τ)}2·r0)·s0 (40)
and (24) could be replaced by the following:
for some integers U2 and V4.
NOTE 7: There is the possibility that the solution {tilde over (τ)} of (21) be even. In this case, let
>0. (42)
Then
As an example, let N0=73·71=5,183. If p=29, 73=15+2·p and 71=13+2·p.
For {tilde over (α)}=15, τ is defined by N0≡τ·152 (mod p2). The least positive solution is {tilde over (τ)}=722. It will be
N=−(p2−{tilde over (τ)})·N0. (43)
Then (24) takes the following form
where
Consider an algorithm which determines the pair (r, s) by successive approximations. In particular, consider the case when a candidate solution of s is determined sequentially modulo p, p2, . . . , pk. In such a case, it is convenient to verify, at each step, whether a proposed candidate solution yields a divisor of N0. Let ŝ denote the least positive residue of s modulo pk. Then let ŝ0=pk−ŝ and verify whether gcd (ŝ0, N0)≠1.
In this presentation, without loss of generality, it will be assumed that {tilde over (τ)} is a positive odd integer.
Given pn−1<N<pn, where N is a quadratic residue modulo p, let
where {vi} denote integers, and 0≤vi≤p.
It is desired to compute a solution of the following:
N≡A2(mod pn) (47)
where
and where
0≤αi<p. (49)
Subject to (49), the solution of (47) is provided by the following:
where RHi and LHi denote the RHS and LHS, respectively, of the congruence containing vi.
The terms (RHi−LHi)/p are usually referred to as carries. They are caused by the constraint (49) and flow from the less significant digits to the more significant ones.
As an example, consider the problem of solving
N≡A2 (mod p5), (51)
where N is a quadratic residue modulo p. Assume p=13 and
If 0≤αi<p, a solution of (51), say Ã, can be represented as follows:
Ã=6+0·p+3·p2+10·p3+5·p4. (53)
A second solution of (51) occurs when {tilde over (α)}0=6 is replaced by
Ā=7+12·p+9·p2+2·p3+7·p4. (54)
Consider removing the magnitude constraints (49) from all αi and representing A as
A≡ω0+ω1·p+ω2·p2+ω3·p3ω4·p4 (mod p5), (55)
where the coefficients of any power of p are positive integers and are constrained by the following conditions:
0<ωi<pn−i. (56)
Then the congruence (51) can be satisfied if the sum of the coefficients of any power of p, say pi, is congruent to zero modulo p5−i. Specifically, in the example , it must be
In the example, consider the condition
10≡ω02 (mod p5). (58)
For ω0≡6 (mod p), the least positive solution, say {tilde over (ω)}0, is {tilde over (ω)}0=181,200. For
To satisfy the second of (57) when {tilde over (ω)}0=181,200, it must be
2·p≡2·{tilde over (ω)}0·ω1·p (mod p5).
The least positive solution, say {tilde over (ω)}1, is {tilde over (ω)}1=18,120.
Thereafter, from the third of (57), let
10·p2≡({tilde over (ω)}12+2·{tilde over (ω)}0·ω2)·p2 (mod p5),
whence {tilde over (ω)}2=1,814.
Likewise, from the fourth of (57), let
5·p3≡2·{tilde over (ω)}1·{tilde over (ω)}2·p3+2·{tilde over (ω)}0·ω3·p3 (mod p5),
whence {tilde over (ω)}3=97.
Finally, from the fifth of (57), let
0·p4≡ω22·p4+2·ω1·ω3·p4+2·ω0·ω4·p4 (mod p5),
whence {tilde over (ω)}4=12. Then
N≡(181,200+18,120·p+1,814·p2+97·p3+12·p4)2 (mod p5). (59)
Proceeding in a similar fashion with
N≡(190,093+10,441·p+383·p2+72·p3+1·p4)2 (mod p5). (60)
Comparison of the resulting {tilde over (ω)}i with the corresponding
or
({tilde over (ω)}i+
Thus, in the example,
181,200+190,093=p5
18,120+10,441=p4
1,814+383=p3
97+72=p2
12+1=p (63)
and
Ã+Ā=5·p5. (64)
Notice that, when à and Ā are subject to the constraint (49), as in (53) and (54), their sum equals p5.
Comparing the representations of à by (59) and (53), it can be stated that the representation proposed by (59) entails an equipartition of weight among the 5 degrees of freedom of (55).
NOTE 1: In the example, each coefficient {tilde over (ω)}i of à is computed modulo p5−i. If the magnitude constraint (49) were to be applied to the coefficients on the RHS of (59) and (60), the coefficients ωi would be reduced modulo p and the structure (57) would be demolished.
In practice, the integer N, as represented on the RHS of (59) and (60), should be treated as a polynomial in some integer variable u, say P(u), where P(u) happens to be computed at u=p.
NOTE 2: In (55) the representation of the coefficients to, is arbitrary. In (59) and (60) such coefficients are represented in base 10. They may be represented in any other base, such as p.
NOTE 3: It should be noted that in (51) p4<N<p5 and in (55) A is being defined modulo p5. In general, such may not be the case. It is possible that A be defined modulo a larger power of p, depending on the requirements of the problem on hand. A similar situation occurs in the domain of irrational numbers, such as √{square root over (2)}. √{square root over (2)} may be computed with a large number of decimal digits, depending on the precision required by the problem on hand. No harm is done if the precision of the computed value of √{square root over (2)} is greater than needed.
As an example, consider the case when p=13 and N1<p2. Assume that N1=ν0+ν1·p=10+2·p. It is desired to solve
N1≡A2 (mod p5). (65)
In this case the integers ωi are defined by the following:
For ω0≡6 (mod p), the result is
N110+2·p≡(181,200+18,120·p+1,291·p2+23·p3+2·p4)2 (mod p5). (67)
Compare with (59).
NOTE 4: As a further application of this method of representation of integers, consider the problem of computing Ã−1 (mod p5) when à is defined as in (55). Let
Ã−1≡w0+w1·p+w2·p2+w3·p3+w4·p4(mod p) (68)
and
÷Ã−1≡1(mod p5). (69)
The coefficients wi should be defined as the least positive solutions of the following:
In the example, Ã−1≡18,120+26,749·p+1,590·p2+73·p3+9·p4 (mod p5).
The product ÷Ã−1 also contains the following terms:
1) Introduction. Definition of M.
Given p and N, select à as one of the solutions of (47) modulo pn, computed using the procedure described in Section VII. Assume Ã>pn (64).
Then, using (35), let
N≡Ã2−U2·p2−2·Ã·V·p2+V2·p4, (72)
where
Referring to (59), recall that each ωi can be represented as
Also,
and
Then
The representation (77) of r and s accounts for the fact that both r and s are smaller than pn. However, using (77), the product of r by s contains powers of p greater than pn, actually as high as p2·n−2.
In order to uncover the properties which relate the coefficients of (77), it is necessary to compute, and represent without loss of information, the multiples of any pi which results from the multiplication of r by s. To this end a new modulus is introduced, namely pM, where
It should be noticed that:
1) M is always odd.
2) If n=2·{tilde over (k)}+1, then M=4·{tilde over (k)}+1.
3) The use of M does not affect the magnitude of N. If N<pn, it can be represented as follows:
4) When M is employed in lieu of n, Ã should be computed as a solution of the following:
N≡A2 (mod pM). (80)
5) s=s0 and r>s0.
6) A comparable result is achieved when {tilde over (T)}0 is employed in lieu of {tilde over (τ)}.
2) The Approach
In the case where (79) is employed, reduction of (77) modulo p3 yields
Then, if the pair (ũ1, {tilde over (ν)}2) is a solution of (81) modulo p, it is
The LHS of this congruence contains a contribution to the set of multiples of p3. This contribution is usually denoted as a “carry”. The flow of carries from one digit to the higher powers of p increases the complexity of the factorization problem. The flow of carries would be controlled better if (81) were solved modulo pM and the pair (u12, ν2) were defined modulo pM−2. In this case (82) could take the following form:
This approach would require replacing the magnitude constraints (49) from the elements of {ui} and {νi} and assuring that the RHS of congruences such as (83) include all the terms which are multiples of any given pi. Following this procedure, still there would be carries, as shown on the LHS of (83). However, such carries would flow from any given congruence directly into a pool of multiples of pM.
The plan of this presentation consists of analyzing each of the terms of (72) with the appropriate definition of à and resolving them into the sum of powers of p. Then, for any given power of p, say pi, add all the coefficients of pi which are produced by Ã2−N, −2·Ã·(Ã−Y), (Ã−Y)2 and −X2 and place the condition that their sum be congruent to zero modulo pM−i.
3) The Integer Ã2−N
Let à be defined as in (73), where the integers {tilde over (ω)}i are determined using the procedure illustrated in Section VII. Thus, for i<M,
where
In fact, N≡{tilde over (τ)}2·{tilde over (α)}2 (mod p2) and also N≡(ω0+ω1·p)2 (mod p2).
Consider then the integer Ã2−N. As an illustration, refer to
Let LHi and RHi denote the LHS and the RHS, respectively, of the congruence containing νi. For i<M each (LHi−RHi), multiplied by the corresponding pi, contributes to the resulting polynomial a known multiple of pM. In fact,
For i>M, Ã2 contains terms of degree greater than pM. The highest power of p in Ã2−N is p2·M−2. In fact, the highest power of p in à is pM−1. After squaring, the highest power in this representation of Ã2 is p2·M−2.
Therefore, for i−M+j, and j≥0, Ã2−N contains multiples of pM+j, say pM+j. Qj, where
The total contribution, for all j≥0, is
As a conclusion:
1) For i<M, by (84),
(νi−RHi)·pi≡0 (mod pm). (89)
2) For i=M each of the terms on the corresponding line of slope 1 is a coefficient of pM.
3) For i>M each of the terms on the corresponding line of slope 1 is a coefficient of pM·pj, where 0<j=i−M. Refer to
In particular, in the example (59), it is
4) The Relationship Between νi and ui−1 when u1≢0 (mod p)
Consider the representation of the pair (r, s) as in (77), where à is constructed as described in Section VII, and M is used in lieu of n. Thus, when r is multiplied by s, it is possible to group all the terms which contain any multiple of any given power of p, say pi, and place the condition that the sum of their coefficients be congruent to zero modulo pM−i.
However, by (84), resolving the integer Ã2−N into its components, the sum of the coefficients of pi in (Ã2−N) equals
(ηi an integer).
As a result, consider the case when it is desired to express ν6 as a function of all the ul's 1≤l≤5′, and the νj's (2≤j≤5). It will be
−(2·{tilde over (ω)}0·ν6+2·{tilde over (ω)}1·ν5+2·{tilde over (ω)}2·ν4+2·{tilde over (ω)}3·ν3+2·{tilde over (ω)}4·ν2)+2·ν2·ν4+ν32≡2·u1·u5+2·u2·u4+u32 (mod pM−6). (92)
This congruence defines ν6 modulo pM−6 as a function of lesser degree variables. If u1≢0 (mod p) and if all the variables of lesser degree are known, (92) defines a linear congruence between ν6 and u5 modulo pM−6. After the determination of ν6, upon multiplication by p6, it will be
where LH6 and RH6 denote the LHS and RHS of (92), respectively. The LHS of this latter congruence is a multiple of pM and does not contain any power of p greater than pM.
In general, for 2≤i≤M−1,
The first summation on the LHS of (94) contains terms which result from the multiplication of −2·Ã by (Ã−Y), when à is represented as described in Section VII. The second summation on the LHS results from (Ã−Y)2.
5) The Product 2·Ã·(Ã−Y)
Some of the cells represent products {tilde over (ω)}j·νi which have been included in (94). Refer to (92) as an example. As a further example, the cells on the line of slope 1 which contains {tilde over (ω)}0·νM−1 and {tilde over (ω)}M−3·ν2 represent coefficients of pM−1 which are employed to write (94) modulo p.
The cells on the line of slope 1 which contains {tilde over (ω)}M−1·ν2 represent coefficients of pM+1 and are not included in (94).
The highest power of p contained in 2·Ã·(Ã−Y) is p2·M−2, obtained through the product of {tilde over (ω)}M−1·pM−1by νM−1·pM−1.
6) The Integer (Ã−Y)2
Since the largest power of p in Y is pM−1, (94) must also be written for i=M−1. Then the LHS of (94) must include cells representing the products ν2·νM−3, ν3·νM−4, etc. Cells representing coefficients of higher powers of p are not absorbed into (94) and contribute to Σ0, when Σ0 denotes the sum of all the products νi·νj·pi·pj which have not been absorbed as terms of any of the congruences (94). It will be
7) The Integer X2
Since the largest power of p in X is pM−1, (94) must also be written for i=M−1. Then the RHS of (94) must include cells representing the products u2·uM−3, u3·uM−4, etc. The cells on the line of slope one which contains u1·uM−1 represents multiples of pM. The cells on the line of slope one which contains u2·uM−1 represents multiples of pM+1. In general, let Ξ0 denote the sum of the products ui·uj·pi·pj which have not be absorbed as terms of any of the (94). It will be
Consider the case when uM−1=0 and uM−2≠0. In this case u2·uM−1=0. Then the line of slope one containing multiples of pM+1 does not contain any cell which has a coefficient of pM+1 dependent on u2. Refer to
IX. THE RELATIONSHIP BETWEEN νi AND ui of WHEN uM−1≠0
1) The Approach
Consider the general expression of (r, s) (77). Multiply r by s modulo pM. Using (94), it will be
where the LHi and RHi denote the LHS and RHS of (94), respectively.
Therefore,
Recall that, when using (94), for i≤M−1, the multiples of pM produced by (97) do not contain any power of p greater than pM. Thus, their presence on the RHS of (98) does not interfere with the process of analyzing the coefficients of higher powers of p.
A relationship between νi and ui can be produced by placing the condition that the carriers flow from any power of p greater than pM, say pM+j(j≥1), to higher powers of p, say pM+j+1. This condition implies that the sum of the coefficients of any power of p greater than pM equal zero modulo pj and no carry flows into p2·(M−1)+1.
Starting from the highest power of p, observe that in (95) the highest power of p is p2·M−2. In fact, Y<pM and the highest power of p in Y is pM−1. After squaring, the highest power is p2·M−2. A similar situation occurs for Ã2−N, where
QM−2={tilde over (ω)}M−12. (99)
Concerning the product −2·Ã·νM−1, the highest power of p it contains is p2·M−2, with a coefficient of −2·{tilde over (ω)}M−1·νM−1. Then
0=pM·(QM−2·pM−2)−2·{tilde over (ω)}M−1·νM−1·p2·M−2+(νM−1·pM−1)2−(uM−1·pM−1)2. (100)
As a result,
({tilde over (ω)}M−1−νM−1)2=uM−12, (101)
or
({tilde over (ω)}M−1−νM−1−uM−1)·({tilde over (ω)}M−1−νM−1+uM−1)=0. (102)
2) The Case when {tilde over (ω)}M−1−νM−1=uM−1
Consider (98) in the case when uM−1>0 and {tilde over (ω)}M−1−νM−1=uM−1. The second highest power of p in Σ0 is p2·M−3. The same is true in Ã2−N. In −2·Ã·(Ã−Y) the coefficient of p2·M−3 is −2·{tilde over (ω)}M−2·νM−1·uM−1−2·{tilde over (ω)}M−1·νM−2. Therefore,
0=2·{tilde over (ω)}M−1·{tilde over (ω)}M−2−2·{tilde over (ω)}M−1·νM−2−2·{tilde over (ω)}M−2·νM−1+2·νM−1·νM−2−2·uM−1·uM−2 (103)
or
2·({tilde over (ω)}M−1−νM−1)·({tilde over (ω)}M−2−νM−2)=2uM−1·uM−2. (104)
By (102), if uM−1≠0 and {tilde over (ω)}M−1−νM−1=uM−1, it must be
{tilde over (ω)}M−2−νM−2=uM−2. (105)
At the next iteration, the contributions to (98) are the following multiples of p2·M−4:
Therefore,
2·({tilde over (ω)}M−1−νM−1)·({tilde over (ω)}M−3−νM−3)+({tilde over (ω)}M−2−νM−2)2=2·uM−1·uM−3+uM−22. (107)
By (102) and (105),
{tilde over (ω)}M−3−νM−3=uM−3. (108)
At every iteration the sequence produces a similar relationship between νi and ui. The sequence ends after it concludes that
{tilde over (ω)}2−ν2=u2. (109)
In general
These conclusions were reached without interference from (97), which contains multiples of pM only. Indeed, the last equation in the sequence, the one which produced (109), is an equation which operates on multiples of pM+1 Refer to (94) and the illustration in
Consider the representation of the pair (r, s) as in (77). Substitution of (110) into (77) yields
or
3) The Case when {tilde over (ω)}M−1−νM−1=−uM−1
Consider (98) in the case when uM−1>0 and {tilde over (ω)}M−1−νM−1=−uM−1. In this case (104) yields
{tilde over (ω)}M−2−νM−2=−uM−2. (113)
Likewise, (107) yields
{tilde over (ω)}M−3−νM−3=−uM−3. (114)
and, in general,
ωi−νi=−ui. (115)
In this case, substitution of (115) into (77) yields
or
NOTE 1: There are two sets of conditions which can assist in the solution of the factorization problem. The first set are the congruences (94). If u1≢0 (mod p), for 2<i<M they establish linear relationships between νi and ui−1 modulo pM−1 when the variables νj and uj of lesser degree are known. Refer to the example in (92).
The second set are the equations (110) or (115).
Substitution of (110) into (77) produced (111) and (112). Substitution of (115) into (77) produced (116) and (117).
NOTE 2: Using (111) or (112) to compute (r+s)/2 and (r−s)/2 produce the same results as (77). The benefit of (111) and (112) lies in the fact that, when r is multiplied by s modulo pM, the product does not contain any power of p higher than pM. Also, except for u1, with u1≢0 (mod p), (112) and (111) are linear functions which contain only the set {νi} or {ui}, respectively. Similar considerations apply to (116) and (117).
4) The Case when uM−1=0
Consider the case when uM−1=0. In this case, equation (102) becomes
{tilde over (ω)}M−1−νM−1=0. (118)
Therefore, no information can be produced using (104). However, (107) yields
{tilde over (ω)}M−2−νM−2=±uM−2. (119)
If uM−2≠0, the process can be continued until it concludes that
{tilde over (ω)}3−ν3=u3. (120)
or
{tilde over (ω)}3−ν3=−u3. (121)
In fact, if uM−1=0, u3·p3 is the lowest degree element which, when multiplied by uM−2·pM−2, produces a multiple of pM+1. Again, there is the possibility that uM−2 be zero. In this case (110) or (115) are applicable only when i equals or exceeds 4. The situation is it illustrated by Section VIII.7 and
In general, assume that u1≢0 modulo p and uM−j=0 for 1≤j≤j0. Then (110) is applicable only for i≥j0+2. In these cases the general expression of the pair (r, s) is
Compare with (111). Also, in this case, (112) becomes
Similarly, if (93) is used in lieu of (110), (116) is replaced by
and (117) is replaced by
Notice that a priori there is no knowledge of whether uM−1 is or is not zero. The same is true for uM−2, etc. Therefore, at this point, j0 is an undetermined integer.
NOTE 1: When using (124) and (122), the pair (r, s) is dependent on the set {ui} and on the first elements of {νi}, for 2≤i≤j0+1. In such cases, the general expression of (r, s) is
where
zk={tilde over (ω)}k−νkuk (127)
or
where
ζk={tilde over (ω)}kνkuk. (129)
X. THE PROCESS
1) The Case when uM−1≠0 (j0=0)
1.1) Overview
Consider the case when uM−1≠0. In this case (111) becomes
If
multiplication of r by s modulo pM yields:
Let RH (132)i and LH (132)i denote the RHS and the LHS, respectively, of that congruence in (132) which is defined modulo pM−i. Then, it must be
RH (132)i−LH (132)i≡0 (mod pM−i). (133)
Define
There is one condition which is not contained in (132): that is the condition that the sum of all the multiples of pM in the system be equal to zero. Specifically, refer to (130). If uM−1≠0, the highest power of p is produced when ({tilde over (ω)}1−u1)·p is multiplied by 2·uM−1·pM−1. There are other multiples of pM in the system, specifically Q·pM, {tilde over (η)}0·pM and {tilde over (η)}1·pM and the integers C(133)i·pM for i≥2. (Refer to (87) and (91)). Equating to zero the sum of all the coefficients of pM, it must be
1.2) Tidbits
NOTE 1: Refer to (77). By (7), X<N. The magnitude of the integer Xis not dependent on the representation of N. If Nand Xwere represented in base p, and Xwere to approximate closely N, it would be 0<uM−1<p and one of the two factors of N would approximate closely 1.
NOTE 2: In general, the integers N0 are pre-screened to test divisibility by the first elements of the sequence of primes. Thus, it is reasonable to assume that in all cases uM−1=0. Recall that the representation of U as in (73), where {ui} are pM−i—constrained positive integers, offers many degrees of freedom and no practical limitation on the magnitude of Uresults when uM−1 is set equal to zero. In fact, any integer U can be represented by a multitude of selections of the set {ui}.
NOTE 3: There is a peculiar situation when the pair (r, s) can be described as in (130). Consider the case when ν0 is a perfect square, say ν0=Ã02<p. In these cases {tilde over (ω)}0 is a small integer and {tilde over (ω)}0=Ã0. Then the second of (130) yields
Some cases were observed when ν0=Ã02<p, s was two digits long in base p and uM−1 was nonzero.
NOTE 4: In this presentation it will be assumed that {tilde over (ω)}02>p2.
2) The Case when j0=1 (uM−1=0 and uM−2≠0)
2.1) Overview
Consider the case when it has been assumed that uM−1=0. It is desired to determine a pair of divisors (r, s) when uM−2≠0, if such a pair exists. In this case (126) and (128) can be written as follows:
where
Ã2={tilde over (ω)}0+{tilde over (ω)}1·p+{tilde over (ω)}2p2 (138)
and
where
Ã1={tilde over (ω)}0+{tilde over (ω)}1·p (140)
and where ζ2 is defined as in (129):
Compare with (128) and (129).
Using (139), multiply r by s modulo pM. Setting the sum of the coefficients of any given power of p congruent to zero (mod pM−i) yields
Let RH (142)i and LH (142)i denote the RHS and the LHS, respectively, of that congruence in (142) which is defined modulo pM−i. Then, it must be
RH (142)i−LH (142)i≡0 (mod pM−i). (143)
Define
There is one condition which is not contained in (142): that is the condition that the sum of all the multiples of pM in the system be equal to zero. Specifically, refer to (139). If uM−2≠0, the highest power of p is produced when ζ2·p2 is multiplied by 2·uM−2·pM−2. The other multiples of pM in the system are Q·pM, {tilde over (η)}0·pM, {tilde over (η)}1·pM and the integers C(142)i·pM. Then, equating to zero the sum of the coefficients of pM, it must be
Refer to (88) and (91).
In this equation the integer uM−2 is defined modulo p2 by the second last congruence of (142).
Also, in the computation of C(142)M−1, the integers uM−2 and uM−3 equal the corresponding values in the second last congruence of (142).
The set of congruences (142) can be referred to as a SUPERCONGRUENCE.
2.2) Tidbits
1) Subject to the condition (131), if (142) and (145) do not admit integer solutions, there does not exist an integer r which can be described as in (142) and such that r|N.
2) The system (142) consists of M congruences. Given the selection of an integer u1<p, the third congruence of (142) defines a corresponding value of ν2 modulo pM−2.
3) The selection of an integer u2<p defines
ζ2=ω2−ν2−u2. (146)
Refer to (141).
4) The solution of the fourth congruence of (142) produces a corresponding u3.
5) The last congruence of (142) verifies the compatibility between ũM−2 and νM−1 and causes a paring down of the roster of candidate pairs (u1, u2).
6) If the system (142) produces a candidate pair (u1, u2), the viability of that pair should be tested using (145). Of course, (145) can be satisfied only if
Refer to (87).
NOTE 1: To expedite the execution of (142), observe that each one of the higher degree congruences of (142) must hold true if they were reduced modulo p2. Therefore, (142) could be reduced as follows:
In (148) each congruence produces a carry which must be added to C(142)M−1. For i<M−1 the carries produced by the congruences (148) are
The total of these carries must satisfy the following:
Notice that the magnitude of M does not burden the execution time of any of the congruences of (148). However, it determines the NUMBER of such congruences and the time required to execute the addition of M two digit numbers (which are represented in base p).
2.3) A Test
Consider the case when the true divisors of N0, say {tilde over (r)}0 and {tilde over (s)}0, are known. Then, after the computation of {tilde over (T)}0,NT
If the true solution pair ({tilde over (r)}0, {tilde over (s)}0) were known, it would be
{tilde over (s)}0≡{tilde over (ω)}0+({tilde over (ω)}1−ũ1,1)·p+({tilde over (ω)}2−{tilde over (ν)}2ũ2,1)·p2(mod p3), (151)
and the pair (ũ1,1,ũ2,1) would be an element of the set of pairs which satisfy (142). (Table I).
In general, such is not the case.
The contradiction can be explained by observing that, given N0, the set of feasible pairs represented in Table I is dependent on the prior definition of M. Should M be replaced by some M1=M+2·m1 (m1 integer>0) , the set of feasible pairs in Table I would be different.
Since {tilde over (s)}0 is not known, the situation can be addressed by exploring independently all the possible definitions of (148), each one associated with a distinct value of M.
2.4) The Periodic Components of (148)
Consider the case when M has been defined using (78). In this case the system (142) consists of M congruences. The LHS of the last n−1 congruences is congruent to zero modulo pM−i. Thus, if n−1<i<M−1, it is
0≡=2·{tilde over (ω)}0·ui+2·({tilde over (ω)}1−ui)·ui−1+2·ζ2·ui−2(mod p2). (152)
Notice that the coefficients {tilde over (ω)}0, {tilde over (ω)}1−u1, and ζ2, after reduction modulo p2, do not depend on i, but depend on the selection of the pair (u1, u2).
Thus, the system (142) contains a sequence of components which are related to one another as follows:
To clarify the role of the integer p−1, assume that (142) is satisfied. Then, if ω1−u1≢0 (mod p), and ζ2≢0(mod p) (131), it will be
0≡ζ2−1·(ω1−u1)·uM−2+uM−3(mod p), (154)
and
0≡ζ2−1·ω0·uM−2+ζ2−1·(ω1−u1)·uM−3+uM−4(mod p), (155)
whence
0≡(ζ2−1·ω0−ζ2−2(ω1−u1)2)·uM−2+uM−4(mod p). (156)
In a similar fashion,
0≡ζ2−1·ω0·uM−3+ζ2−1·(ω1−u1)·uM−4+uM−5(mod p)
≡−ζ2−2·ω0·(ω1−u1)·uM−2−ζ2−2·ω0·(ω1−u1)·uM−2
−ζ2−3·(ω1−u1)3·uM−2+uM−5(mod p)
≡[−2·ζ2−2·ω0·(ω1−u1)+ζ2−3·(ω1−u1)3]·uM−2+uM−5(mod p). (157)
Similar relationships can be developed to relate uM−i to uM−2 modulo p. Such relationships contain two terms. As i increases, both terms display a periodicity of p−1, or its divisors.
Thus, given a selection of the pair (u1, u2), the specific embodiment of (142) for a given M can be related to a corresponding embodiment for M′=M+k·(p−1) for some integer k. Recall that, if M is increased by p−1, the number of congruences in (142) is increased by p−1.
2.5) A New Definition of M
The variability of M can be reduced by observing (24) and (41). Consider a process which evolves (24) into (41). Assume it can be iterated into higher powers of p until the resulting product r·s0 exceeds the corresponding N. The process could end at that point and would offer a conclusion on the viability of {tilde over (α)}, Ũ1,1 and the subsequent sets of (Ui, V2·i) variables.
Notice that in (32), after multiplication of r by s0, the highest power of p in the system is p4. In (37) it is p8. In the subsequent iterations it would be p2
M=2h+1, for h>0 (158)
or
Compare with (78).
2.6) Privileged sets of exponents M
Consider the case when an integer k·(p−1) is added to M. It is desired that the pairs (u1, u2) be proven still viable when Mis replaced by M1=M+k·(p−1). This condition can be satisfied if both M1 and M satisfy (159).
In this case,
2h+k·4·ODD=2j (160)
or
1+k′′ODD=2j−h
where
k=2h−2·k′. (161)
If p=29=4·7+1, the condition is satisfied when k′=1 and j−h=23.
For the example of Table I, Table II shows the feasible (u1, u2) pairs for a sequence of values of M which satisfy (159).
Table III discards the (u1, u2) pairs which are not confirmed when M−1 is multiplied by p3.
Table IV shows an example of confirmed pair when p=61.
Table V shows the values of k′ and pj−h for a set of primes of the form p=4·ODD+1.
NOTE 1: The periodicity of (148) is dependent on the periodicity of the two coefficients of uM−2 in (157). If both coefficients have periodicity p−1, the resulting periodicity of (148) and M are illustrated by Table V.
However, in general, each one of the two coefficients of uM−2 may have its own periodicity, which equals any one of the divisors of p−1.
Table VI shows a case when p=29 and the integer 2j−h of Table V is replaced by 24.
2.7) The Determination of U1,2
The system (142) has been developed without placing any condition on the magnitude of u1, u2, and the subsequent ui's. It is useful to explore the case when u1 and u2 are defined as follows:
where 0<u1,1, u2,1<p. Refer to (76).
Consider the system (128) when j0=1. In this case the general expression of s is
s≡{tilde over (ω)}0+({tilde over (ω)}1−u1)·p+({tilde over (ω)}2−{tilde over (ν)}2−u2)·p2(mod p3). (163)
If the pair (u1,1, u2,1) were substituted in lieu of (u1, u2), it would be
s≡{tilde over (ω)}0+({tilde over (ω)}1−u1,1)·p+({tilde over (ω)}2−{tilde over (ν)}2−u2,1)·p2(mod p3). (164)
If the pair (U1,2, U2,2) were substituted in lieu of (u1, u2) , it would be
s≡{tilde over (ω)}0+({tilde over (ω)}1−U1,2)·p+({tilde over (ω)}2−{tilde over (ν)}2−U2,2)·p2(mod p4). (165)
If u1,2≠0, reduction of (165) modulo p3 would produce a congruence which is not consistent with (164). Therefore, u1,2 must equal zero.
2.8) The Determination of U2,2
Consider the case when, given M, the systems (142) and (148) have produced a set of viable pairs (u1,1, u2,1). Such pairs define viable expressions of s (mod p3).
It is desired to define corresponding viable expressions of s (mod p4).
This can be accomplished by defining that value of U2,2 which satisfies both (142) and the corresponding condition on the carries. For this purpose:
1) Substitute a candidate U2,2 into (142) in lieu of u2.
2) Define the integer
ζ2,2={tilde over (ω)}2{tilde over (ν)}2−U2,2 (166)
and substitute it into (142) in lieu of ζ2.
Notice that after these substitutions, every selection of U2,2 satisfies (142). However, the pair (u1,1, u2,1) is feasible only if there exists at least one value of u2,2 which satisfies the condition (147) on the carries modulo p
To produce the solution u2,2, it is convenient to use an approach similar to (148). Specifically, after replacement of u2,1 by U2,2, all the congruences of (148), with the exception of the last two congruences, can be reduced modulo p3 yielding
Correspondingly, with the exception of the last two congruences, the carries should be defined as
and the condition (150) can be restated as follows:
NOTE 1: Compare two different expressions of s (mod p4):
s≡{tilde over (ω)}0+({tilde over (ω)}1−u1)p+({tilde over (ω)}2−{tilde over (ν)}2−u2)p2+({tilde over (ω)}3−ν3−u3)·p3(mod p4) (170)
and
s≡{tilde over (ω)}0+({tilde over (ω)}1−u1)p2+({tilde over (ω)}2−ν2−u2,1−u2,2·p)·p2(mod p4) (171)
Then
−u2,2≡{tilde over (ω)}3ν3−u3 (mod p). (172)
Recall that ν3 can be computed using (94).
Table VII shows the resulting (u1,1,u2,1, u3,1) triads for the example of Table III.
NOTE 2: In general, the execution of (167) and the corresponding (169) produce only one candidate value of u2,2. In some cases, more than one value results. In these cases, all the corresponding value of U2,2 must be explored.
2.9) The General Case
After the determination of U2,2, a similar procedure can be employed to determine U2,3, where
ζ2,3={tilde over (ω)}2−ν2−u2, 1−u2, 2·p−u2, 3·p2 (173)
In this case the moduli of (167) should be increased to p4 and the corresponding carries (168) should be adjusted accordingly. The resulting condition on the carries (169) would be computed modulo p2.
Thereafter, the procedure can be iterated to determine the higher components of U.
Each step would propose a new value of s as a candidate divisor of N0. If none of such steps offers a divisor of N0, the initial (u1,1, u2,1) pair must be discarded.
2.10) Execution Time
This section contains an estimate of the upper bound of the time required to factor N using the procedure just described.
For the purpose of this estimate, it will be assumed that elementary arithmetic operations require a time of an order not exceeding logP2 N, where p denotes the base of representation of N.
The same can be assumed for the computation of multiplicative inverses, other linear congruences and square roots.
The proposed algorithm requires repeated execution of supercongruences such as (142) or (148). These systems consist of M congruences which are defined by a modulus as high as pM. Thus, their execution can be assumed to require a time of the order of M3.
Usually (142) is executed for the purpose of identifying the feasible values of a particular variable. Such is the case when (142) is executed to identify the values of u2,1 which are consistent with a known u1,1. Thus, the execution time of a supercongruence is p·M3.
Accounting for the variability of u1,1 and α, the production of all the feasible triads (α, u1,1, u2,1) requires a time of the order of p3·M3.
Observing TABLE III, it can be concluded that the number of feasible triads (α, u1,1, u2,1) is of the order of p2. After the determination of the feasible pairs (u1,1, u2,1) for a given α, such pairs are employed to determine the corresponding sequence of u2,i's. The determination of all u's for a given α requires the execution of as many as logp N0 supercongruences. Thus the execution time for all α would be of the order of p2·(p·M3)·M.
In particular, when p approximates the value of M, execution time is of the order of p7.
3) The Case when j0=2
3.1) Overview
Consider the case when a roster of candidate pairs {(Ũ1,1, Ũ2,1)} has been determined and none of the corresponding pairs (r, s) represent divisors of N. Thus a new variable, ζ3, can be introduced. The pair {(Ũ1,1, Ũ2,1)} is feasible only if there exists an integer ζ3 such that,
Notice that in (175) u1, u2 and ζ2 are known integers, say ũ1, ũ2 and {tilde over (ζ)}2. Multiplication of r by s modulo pM yields:
For each initial selection of the pair (u1, u2) , the system (176) may produce a triad (u1, u2, ζ3) such that r·s≡N (mod p4).
3.2) Determination of u3 (mod p) using (176)
STEP 1: Select an element of the roster {(u1, u2)} representing a solution of (142), say (Ũ1,1, Ũ2,1|M).
STEP 2: Using (94), compute ν3 (mod pM−3), say {tilde over (ν)}3,1. The same result can be obtained by observing that in (176) the congruence which is defined modulo pM−3 can be written as follows:
0≡−2·{tilde over (ω)}0·ν3,1−2·{tilde over (ω)}1·{tilde over (ν)}2, 2−2·Ũ1, 1·Ũ2,1 (mod pM−3). (177)
This congruence does not contain u3 and allows one to determine ν3,1 modulo pM−3.
STEP 3: To compute an integer u3 (mod p) which satisfies (176), select an initial value of u3 (mod p), say ũ3,1.
STEP 4: Compute a corresponding value of ζ3, say {tilde over (ζ)}3,1, where
{tilde over (ζ)}3,1={tilde over (ω)}3−{tilde over (ν)}3,1−ũ3,1 (178)
STEP 5: Substitute Ũ1,1, Ũ2,2 and {tilde over (ζ)}2 in lieu of u1, u2and ζ2 into (176). Also, substitute {tilde over (ζ)}3,1 in lieu of ζ3 into (176). Solve the congruences (176) starting with the condition on ν4 and proceeding to the condition on νn−3 (mod p3). The last two congruences of (176) verify the consistency of uM−3 with the corresponding LHS's, which are defined modulo p2 and modulo p, respectively. In the event such a consistency is satisfied, a value of uM−3 (mod p) is produced and ũ3,1 is validated.
All possible selections of ũ3,1 must be tested. If no selection of ũ3,1 satisfies (176) for the given pair (u1,1, u2,1|M), then such a pair must be discarded.
3.3) Validation of u2,2
The integer u3,1 produced by (176) should be consistent with the value of u2,2 produced by (167). However, there are many selections of (u1,1, u2,1) which, by (167), produce a corresponding u2,2 and, by (176), do not produce any corresponding u3,1.
Thus it appears that (176) is more severe than (167) in the determination of u3,1.
Therefore, it is possible to execute (176) for all the confirmed pairs (u1,1, u2,1) which survive (142) and are listed in TABLE III and produce a corresponding roster of viable triads (u1,1, u2,1, u3,1).
This step depopulates TABLE III drastically. Compare TABLE VII with TABLE VIII.
3.4) Execution Time
After the depopulation of Table VII into Table VIII, the algorithm of Section 2.9 can resume and determine the appropriate u2,1's, for all i>2. For the example of Table I, Table IX shows the resulting values of u2,i and νi for all i>2.
The benefit of the validation of u2,2 is the reduction of the total execution time by a factor of approximately p, thus reducing the total execution time to approximately p6.
XI. AN ALTERNATIVE APPROACH TO THE HIGHER POWERS OF p
1) The Approach
Consider the case when the triad ({tilde over (α)}, Ũ1,1, Ũ2,2) is a solution of (142) and (150), when N is to defined as in (37) and M is used in lieu of n0.
In this case, it is possible to compute r0 modulo p4 as
r0≡{tilde over (T)}0−1·r (mod p4) (179)
where
r≡{tilde over (ω)}0+({tilde over (ω)}1+ũ1,1)·p+({tilde over (ω)}2−{tilde over (ν)}2,2+Ũ2,2)·p2 (mod p4). (180)
Define {tilde over (r)}0,2 as the least positive solution of the following:
r0,2≡{tilde over (T)}0−1({tilde over (ω)}0+({tilde over (ω)}1+ũ1,1)·p)(mod pM). (181)
Define {tilde over (T)}2 as the least positive solution of the following:
N0≡{tilde over (T)}2·{tilde over (r)}0,22 (mod pM). (182)
If {tilde over (T)}2 is odd, define
N2={tilde over (T)}2·N0. (183)
Define Ã2 as a solution of the following
N2≡Ã2−2(mod pM). (184)
Then the general expression of the pair (r,s) will be
for some integers U({tilde over (T)}2) and V({tilde over (T)}2).
Compare with (41).
Notice that (41) and (185) operate on rectangular lattices of sides p2 and p4. Compare with (24).
NOTE 1: The integers u2 and U(T2) are related to each other. In fact,
and
U({tilde over (T)}2)≡{tilde over (T)}2·{tilde over (T)}0−1·Ũ2,2(mod p4). (187)
Thus U2,2 is a known quantity, and the solution of (183) follows the pattern of (142).
NOTE 2: In (142) the congruences modulo pn and pn−1 do not depend explicitly on the variables of the system (ui and νi), because such dependence is embedded in the definition of N. Likewise, the four highest degree congruences (say pM, PM−1, pM−2, pM−3) do not depend explicitly on the corresponding variables.
XII. THE CASE WHEN ũ1≡0(mod p)
Consider the case when N0 is known not to be a prime number, and the algorithm does not determine any divisor of N0 for any {tilde over (α)} and for ũ1≢0 (mod p).
It has been observed that, given p, this situation occurs in less than 1% of the integers under test.
The problem can be addressed by defining {tilde over (T)}2 as a solution of the following:
N0≡T2·α2(mod pM) (188)
and restating (185) accordingly. In this case, a solution of (185) may exist only if U({tilde over (T)}2)≢0 (mod p2).
One possible strategy is to select a different prime, say p′, relying on the low probability that ũ be congruent to zero both modulo p and modulo p′. Of course, it is also possible to execute the proposed algorithm in parallel using both p and p′.
XIII. THE CASES WHEN ω12−u12≡0 (mod p)
A similar situation may occur when ω12−u12≡0 (mod p). This situation was observed in less than 1% of the cases under test. Again duplicating the algorithm using a different prime may solve the problem.
XIV. OTHER SINGULAR EVENTS
A variety of rare, singular events occur occasionally. Some of the Tables presented in this document describe unexpected events. Gradually, such events are being understood. All of them can be sidestepped by changing the selection of p.
Fundamentally, the proposed representation of integers and the resulting management of the carries offer a primary avenue towards the control of the factorization problem.
Consider the linear congruence
A·x+B·y≡C (mod p2) (A.1)
where A≢0(modp) and B≢0 (mod p).
Let
Consider the case when x and y are constrained by the conditions that 0≤x0, y0≤p−1 to and also x1=0 and y1=0. In other words, x and y are “truncated” modulo p.
To solve (A.1) under these constraints, let C=c0+c1·p and solve
A·x+B·y≡c0 (mod p). (A.3)
There exist p solution pairs (x0,y0) for this congruence. For each solution pair, compute the integer
λ·p=A·x0+B·y0−c0. (A.4)
Depending on the value of c1, there may be one or more solution pairs which satisfy (A.1), even though x and y are truncated modulo p. Also, in some cases, there is no solution pair for which λ≡c1 (mod p).
The situation is illustrated by Table A.I, which shows the case when p=29, A=38, B=41, c0=2, c1=13.
The example illustrates the fact that a pair (x0, y0), which was truncated modulo p, may satisfy a congruence modulo p2.
[1] C. F. Gauss, Disquisitiones Arithmeticae, New York, N.Y.: Springer-Verlag, 1986.
[2] R. L. Rivest, A. Shamir, L. Adleman, “A Method for Obtaining Digital Signatures and Public-Key Cryptosystems,” Communications of the ACM, Vol. 21, pp. 120-125, 1978.
[3] G. H. Hardy, E. M. Wright, In Introduction to the Theory of Numbers, Oxford, U. K., The Clarendon Press, 1979.
Following is a list of relevant features of the invention.
The present invention pertains to a method for decoding an encrypted electromagnetic signal W representative of a message encoded by a first computer with public key N0=r×s, where N0, r and s are integers and W is a function of r and s. The method comprises the steps of storing the signal W in a non-transient memory. There is the step of decoding with a second computer in communication with the memory the signal Win the memory with the second computer generated steps of selecting a prime number p of the form p=4k+1 for an odd integer k such that the public key N0 is a non-quadratic residue modulo p; calculating n0 satisfying the inequalities pn
N≡A2 (mod pn) (189)
by using the representation
where wi satisfies the condition
0<ωi<pn−i. (191)
There is the step of decrypting with the computer the signal W with the public key N0 and the prime factors of integer N0. There is the step of displaying on a display by the computer the decrypted signal W. There is the step of reviewing the decrypted signal W to determine if the decrypted signal W indicates an act has occurred or will occur that violates a law, or will violate a law.
There may be the second computer generated steps of defining M=2h+1, for N=r×s with r>s, take the solution 1 and construct relations
with U, V as unknowns; forming a set of Supercongruence equations by matching coefficients of N and coefficients of (A+U×p−V×p2)(A−U×p−V×p2), the set of Supercongruence equations establishes M relations in terms of ui's and vi's, which are coefficients of U and V respectively; performing steps 1-4 using the Supercongruence equations where steps 1-7 are as follows:
1) Testing feasibilities of digits u1's and u2's.
2) Calculating carries by tallying differences on two sides of the Supercongruence equations.
3) Using carries to identify subsequent digits given a feasible pair of u1 and u2 by using Supercongruence equations again.
4) Using the Euclidean algorithm to test whether A+U×p−V×p2 is a divisor of N0.
There may be the step of enabling the alerting of a government agency to prevent the act that will occur to prevent physical damage or bodily injury to a person occurring. The steps described herein allows for the ability to alert a desired government agency if a review of the decrypted signal W indicates that an alert is warranted.
By using the methods described herein, N0 is factored in time O(log6N0). This speed is important, which only the operation of the second computer performing the second computer generated steps can achieve, because by having this speed for factoring, the signal W representative of a message can be effectively decrypted and deciphered in real time so any threat to property or individuals can be quickly acted upon to eliminate the threat before it occurs and actual damage to property or injury to individuals is prevented or mitigated. In other words, for W to be effectively understood, it must by decrypted fast enough that any threat identified in W can be stopped. The present invention with the use of the second computer allows for this capability. Here, it is inherent that to save lives if required, the second computer is required.
There may be the step of obtaining the electromagnetic signal W representative of a message from a telecommunications network, or a data network or an Internet or a non-transient memory. Law enforcement departments, such as Homeland Security, the FBI, the CIA, NSA, state and local Police or the Military have the well-known capability of obtaining or intercepting messages sent encrypted by a first computer operated by a potential terrorist or criminal as an electromagnetic signal, such as by smart phone or computer or intemet, or stored in the memory of a smart phone or computer, or a flash drive. The encrypted electromagnetic signal W can be extracted from such messages or memories and operated upon by the techniques described herein to decrypt the encrypted messages and read them to determine whether there is any violation of law or threat to property or individuals. Of course, the intended recipient of the encrypted message W by the first computer has the key so the recipient can decrypt the encrypted message W the recipient has received and understand it. It is the object of this invention, and the problem this invention solves, to allow a recipient of the encrypted message W who does not have the key to read it, to determine what the key N0 is by the techniques described here, and then using the determined key N0, decrypting the encrypted message W, reviewing what the decrypted message says, and acting as necessary to protect property damage or bodily injury or any type of crime, as deemed appropriate.
The present invention pertains to a second computer for decoding an encrypted electromagnetic signal W representative of a message encoded by a first computer with public key N0=r×s, where N0, r and s are integers and W is a function of r and s, comprising:
decoding with a CPU in communication with the memory the signal Win the memory that decodes the signal W by the second computer generated steps of selecting a prime number p of the form p=4k+1 for an odd integer k such that the public key N0 is a non-quadratic residue modulo p; calculating n0 satisfying the inequalities pn
N≡A2 (mod pn) (193)
by using the representation
where wi satisfies the condition
0<ωi<pn−i, (195)
the CPU decrypting the signal W with the public key N0 and the prime factors of integer N0; and a display on which the decrypted signal W is displayed so the decrypted signal W can be reviewed to determine if the decrypted signal W indicates an act has occurred or will occur that violates a law or will violate a law. The display can be a computer screen or smart phone screen or any screen or piece of paper on which the decrypted signal W is printed or any medium on which the decrypted signal W can be reviewed.
The CPU of the second computer may perform the CPU generated steps of defining M=2h+1 for N0=r×s with r>s, take the solution 1 and construct relations
with U, V as unknowns; forming a set of Supercongruence equations by matching coefficients of N and coefficients of (A+U×p−V×p2)(A−U×p−V×p2), the set of Supercongruence equations establishes M relations in terms ui's and vi's, which are coefficients of U and V respectively; performing steps 1-4 using the Supercongruence equations where steps 1-4 are as follows:
1) Testing feasibilities of digits u1's and u2's.
2) Calculating carries by tallying differences on two sides ofthe Supercongruence equations.
3) Using carries to identify subsequent digits given a feasible pair of u1 and u2 by using Supercongruence equations again.
4) Using the Euclidean algorithm to test whether A+U×p−V×p2 is a divisor of N0.
N0 is factored by the CPU of the second computer in the time O(log6N0).
The present invention pertains to a non-transitory readable storage medium which includes a computer program stored on the storage medium for decoding an encrypted electromagnetic signal W encoded by a first computer with public key N0=r×s, where N0, r and s are integers and W is a function of r and s, where the signal W has been stored in a non-transient memory of a second computer, having the second computer generated steps of:
Selecting a prime number p of the form p=4k+1 for an odd integer k such that the public key N0 is a non-quadratic residue modulo p; calculating n0 satisfying the inequalities pn
N≡A2 (mod pn) (197)
by using the representation
where wi satisfies the condition
0<ωi<pn−1. (199)
There is the step of decrypting with the second computer the signal W with the public key N0 and the prime factors of integer N0. There is the step of displaying on a display by the second computer the decrypted signal W. There is the step of reviewing the decrypted signal W for predetermined words to determine if the decrypted signal W indicates an act has occurred or will occur that violates a law, or will violate a law. It is well know in the art to search for words, such as bomb or gun, to flag a message for further review for possible action, as deemed appropriate.
The computer program may have the second computer generated steps of defining M=2h+1 for N0=r×s with r>s, take the solution 1 and construct relations
with U, V as unknowns; forming a set of Supercongruence equations by matching coefficients of N and coefficients of (A+U×p−V×p2)(A−U×p−V×p2), the set of Supercongruence equations establishes M relations in terms of ui's and vi's, which are coefficients of U and V respectively; performing steps 1-4 using the Supercongruence equations where steps 1-4 are as follows:
1) Testing feasibilities of digits ui's and vi's.
2) Calculating carries by tallying differences ontwo sides of the Supercongruence equations.
3) Using carries to identify subsequent digits given a feasible pair of u1 and u2 by using Supercongruence equations again.
4) Using the Euclidean algorithm to test whether A+U×p−V×p2 is a divisor of N0.
Although the invention has been described in detail in the foregoing embodiments for the purpose of illustration, it is to be understood that such detail is solely for that purpose and that variations can be made therein by those skilled in the art without departing from the spirit and scope of the invention except as it may be described by the following claims.
This application is a continuation-in-part of U.S. patent application Ser. No. 15/099,306 filed Apr. 14, 2016 and claims priority from U.S. provisional applications Ser. No. 62/257,045 filed Nov. 18, 2015; 62/204,278 filed Aug. 12, 2015 and 62/154,230 filed Apr. 29, 2015, all of which are incorporated by reference herein.
Number | Name | Date | Kind |
---|---|---|---|
20130136257 | You | May 2013 | A1 |
20180198613 | Anderson | Jul 2018 | A1 |
Entry |
---|
Burt Kaliski, “The Mathematics of the RSA Public-Key Cryptosystenn”, RSA Laboratories, Feb. 2003 (Year: 2003). |
Number | Date | Country | |
---|---|---|---|
62257045 | Nov 2015 | US | |
62204278 | Aug 2015 | US | |
62154230 | Apr 2015 | US |
Number | Date | Country | |
---|---|---|---|
Parent | 15099306 | Apr 2016 | US |
Child | 16044096 | US |