%! TEX root = NT.tex
% vim: tw=50
% 27/11/2023 10AM

\begin{flashcard}[congruent-squares-gcd-factorisation-prop]
\begin{proposition}
  % Proposition 6.8
  \label{cong_squares_factorisation_prop}
  Let $N \in \NN$ be odd and composite. Suppose
  $\exists r, s \in \ZZ$ such that $r \not\equiv \pm
  s \pmod{N}$, but $r^2 \equiv s^2 \pmod{N}$.
  Then \cloze{$\gcdbrack(N, r + s)$ and
  $\gcdbrack(N, r - s)$ are non-trivial factors of
  $N$.}
\end{proposition}
  
\begin{proof}
  \cloze{By hypothesis, $r^2 \equiv s^2 \pmod{N}$
  $\implies$ $(r + s)(r - s) \equiv 0 \pmod{N}$.
  Let's show $\gcdbrack(N, r - s)$ is a
  non-trivial factor of $N$ (other case is
  similar). $\gcdbrack(N, r - s) \divides N$, so
  we need to show that $\gcdbrack(N, r - s) \notin
  \{1, N\}$. If $\gcdbrack(N, r - s) = N$, then $N
  \divides r - s$ so $r \equiv s \pmod{N}$
  \contradiction. If $\gcdbrack(N, r - s) = 1$,
  then $r-  s \pmod{N}$ has a multiplicative
  inverse, hence $r + s \equiv 0 \pmod{N}$, so $r
  \equiv -s \pmod{N}$ \contradiction.}
\end{proof}
\end{flashcard}

Directly finding $r, s$ as in the Proposition is
tricky. Indeed, we look for integers $x_i$ such
that $x_i^2 = c_i \pmod{N}$ for some $c_i$ such
that the $c_i$ have a ``small'' number of prime
factors as $i$ varies.

\begin{lemma}
  % Lemma 6.9
  Let $p_1, \ldots, p_r$ be distinct primes, and
  let $c_1, \ldots, c_k$ be non-zero integers
  divisible only by primes in $\{p_1, \ldots,
  p_r\}$. Then if $k > r + 1$, then there exists a
  non-empty subset $J \subset \{1, \ldots, k\}$
  such that
  \[ c_J = \prod_{j \in J} c_j \]
  is a square.
\end{lemma}

\begin{proof}
  Pigeonhole principle: for any $J \subset \{1,
  \ldots, k\}$, let $c_J = \prod_{j \in J} c_j$.
  Write
  \[ c_J = (-1)^{\alpha_{J, 0}} \left( \prod_{i =
  1}^r p_i^{\alpha_{J, i}} \right) b_J^2 \]
  where $b_J \in \NN$, $\alpha_{J, i} \in \{0,
  1\}$, $i = 0, \ldots, r$. There are $2^k$
  choices for a subset $J \subset \{1, \ldots,
  k\}$, and $2^{r + 1}$ possibilities for
  $\alpha_J = (\alpha_{J, 0}, \ldots, \alpha_{J,
  r})$. If $k > r + 1$, then there exist $J, J'
  \subset \{1, \ldots, k\}$ with $J \neq J'$ such
  that $\alpha_J = \alpha_{J'}$. Then
  \[ c_J c_{J'} = \left( (-1)^{\alpha_{J, 0}}
  \prod_{i = 1}^r p_i^{\alpha_{J, i}} \right)
  b_J^2 b_{J'}^2 \]
  is a square. Also,
  \[ c_J c_{J'} = \left( \prod_{j \in J} c_j
  \right) \left( \prod_{j \in J'} c_j \right)
  c_{(J \triangle J')} (c_{(J \cap J')})^2 ,\]
  where $J \triangle J' = (J \cup J') \setminus (J
  \cap J')$ (which is non-empty since $J \neq
  J'$). We see that $c_{J \triangle J'}$ is a
  square.
\end{proof}

\begin{flashcard}[factor-base-defn]
\begin{definition}[Factor base]
  % Definition 6.10
  \glsnoundefn{fac_base}{factor base}{factor bases}
  \glsnoundefn{B_num}{$B$-number}{$B$-numbers}
  \cloze{Let $N \in \NN$ be an odd composite integer. A
  \emph{factor base} is a set $B = \{-1, p_1, \ldots,
  p_r\}$ where the $p_i$ are \glspl{prime}. A
  \emph{$B$-number} is a positive integer $x$ such that
  all \gls{prime} factors of $\gmod{x^2}$ lie in
  $B$, where $\gmod{x^2}$ is the unique integer
  such that $\gmod{x^2} \equiv x^2 \pmod{N}$ and
  $-\frac{N}{2} < \gmod{x^2} < \frac{N}{2}$.}
\end{definition}
\end{flashcard}
\vspace{-1em}

We now describe the factor base method to
factorise an odd composite $N \in \NN$.
\begin{enumerate}[\bfseries Step 1]
  \item Choose a \gls{fac_base} $B$.
  \item Generate some \glspl{B_num} $x_1, \ldots,
    x_k$.
  \item Find a non-empty subset $J \subset \{1,
    \ldots, k\}$ such that $\prod_{j \in J}
    \gmod{x_j^2} = y^2$, some $y \in \NN$. Then if
    $x = \prod_{j \in J} x_j$, then $x^2 \equiv
    y^2 \pmod{N}$. If $x \not\equiv \pm y
    \pmod{N}$, then by
    \cref{cong_squares_factorisation_prop},
    $\gcdbrack(N, x + y)$, $\gcdbrack(N, x - y)$
    are non-trivial factors of $N$.
    If $x \equiv \pm y \pmod{N}$, then go back to
    Step 2 and try again.
\end{enumerate}
This is only a method, not an algorithm. When can
this method work? If we find $x, y$ and
$\gcdbrack(x, N) = \gcdbrack(y, N) = 1$, then
$\frac{x}{y} \pmod{N}$ is a solution to $x^2
\equiv 1 \pmod{N}$, which we want not to equal
$\pm 1 \pmod{N}$.

If $N = \prod_{i = 1}^s p_i^{e_i}$, $p_i$ distinct
\glspl{prime}, $e_i \ge 1$. Then
\[ (\ZZ / N\ZZ)^\times \cong \prod_{i = 1}^s (\ZZ
/ p_i^{e_i} \ZZ)^\times .\]
So there are $2^s$ solutions to $x^2 \equiv 1
\pmod{N}$. If $s \ge 2$, then we can expect
$\frac{x}{y} \not\equiv \pm 1 \pmod{N}$ with
probability $\frac{2^s - 2}{2^s} = 1 - 2^{1 - s} >
0$. If $s = 1$, then the method witll never give a
factorisation.

This is OK, as we can test whether $N = m^k$ for
some $k \ge 2$ in polynomial time. For each $2 \le
k \le \frac{\log N}{\log 3}$, let $x$ be the
closest integer to $\sqrt[k]{N}$ and test to see
if $N = x^k$.

One way to generate \glspl{B_num}: consider $x$
of the form $\left\lfloor \sqrt{kN}
\right\rfloor$, $\left\lfloor \sqrt{kN}
\right\rfloor + 1$, for $k = 1, 2, \ldots$. Then
$x^2$ should be ``close'' to a multiple of $N$, so
$\gmod{x^2}$ should be ``close'' to $0$ so should
have only small \gls{prime} factors.

\begin{example*}
  $N = 1829$, $B = \{-1, 2, 3, 5, 7, 11, 13\}$.
  Calculate $\left\lfloor \sqrt{k1829}
  \right\rfloor = 42, 60, 74, 85$ for $k = 1, 2,
  3, 4$.
  \begin{center}
    \begin{tabular}{c|c|c|c}
      $x_i$ & $\gmod{x_i^2}$ & factorisation of
      $\gmod{x_i^2}$ & \gls{B_num}? \\
      \hline
      $42$ & $-65$ & $-5 \times 13$ & \cmark \\
      $43$ & $20$ & $2^2 \times 5$ & \cmark \\
      $60$ & $-58$ & $-2 \times 29$ & \xmark \\
      $61$ & $63$ & $3^2 \times 7$ & \cmark \\
      $74$ & $-11$ & $-11$ & \cmark \\
      $75$ & $138$ & $2 \times 3 \times 23$ &
      \xmark \\
      $85$ & $-91$ & $-7 \times 13$ & \cmark
    \end{tabular}
  \end{center}
  We find
  \begin{align*}
    (42 \times 43 \times 61 \times 85)^2
    &\equiv \gmod{42^2} \times \gmod{43^3} \times
    \gmod{61^2} \times \gmod{85^2} \pmod{1829} \\
    &= (-5 \times 13 \times 2^2 \times 5 \times
    3^2 \times 7 \times -7 \times 13) \\
    &= (2 \times 3 \times 5 \times 7 \times 13)^2
  \end{align*}
  $42 \times 43 \times 61 \times 85 \equiv 1459
  \pmod{1829}$. $2 \times 3 \times 5 \times 7
  \times 13 = 901$. Hence if $1459 \not\equiv \pm 901
  \pmod{1829}$, then $\gcdbrack(1829, 1459 \pm
  901)$ are non-trivial factors of $1829$.
  We find $\gcdbrack(1829, 2360) = 59$,
  $\gcdbrack(1829, 558) = 31$, $31 \times 59 =
  1829$.
\end{example*}

\begin{remark*}
  In this case, $N = \gcdbrack(N, x + y)
  \gcdbrack(N, x - y)$. This does not always
  happen.
\end{remark*}