%! TEX root = NT.tex
% vim: tw=50
% 29/11/2023 10AM

\begin{remark*}[Remarks on implementation]
  \phantom{}
  \begin{enumerate}[(1)]
    \item To decide if $x$ is a \gls{B_num}, we
      need to know if $x$ is a product of numbers
      of $B$. We do this by trial division by
      numbers of $B$.
    \item We showed last time using the pigeonhole
      principle that if $k > r + 1$, then a
      non-trivial relation $\prod_{i \in I}
      \langle x_i^2 \rangle = y^2$ must exist.
      It's faster in practice to use linear
      algebra over $\ZZ / 2\ZZ$.
  \end{enumerate}
\end{remark*}
\vspace{-1em}

Let's now discuss another way to generate
\glspl{B_num}, using continued fractions.

\begin{flashcard}[B-num-cfe-ineq-lemma]
\begin{lemma}
  % Lemma 6.11
  Let $N \in \NN$ be odd, composite and not
  square. Let $\frac{p_n}{q_n}$ be a convergent of
  $\sqrt{N}$. Then $|p_n^2 - Nq_n^2| < 2\sqrt{N}$.
\end{lemma}
\vspace{-1em}
\cloze{
Why this is useful: it says $p_n^2 - Nq_n^2$ is
close to $0$, i.e. $p_n^2$ is close to a multiple
of $N$, and $p_n$ has a good chance of being a
\gls{B_num}.
}

\begin{proof}
  \cloze{We use $\left| \frac{p_n}{q_n} \le \frac{1}{q_n
  q_{n + 1}} \right|$ (true for any $\theta \in \RR
  \setminus \QQ$). Then
  \[ |p_n^2 - Nq_n^2| = q_n^2 \left|
  \frac{p_n}{q_n} - \sqrt{N} \right| \left|
  \frac{p_n}{q_n} + \sqrt{N} \right| \le
  \frac{q_n^2}{q_n q_{n + 1}} \left( 2\sqrt{N} +
  \frac{1}{q_n q_{n + 1}} \right) \]
  $\RHS$ equals
  \begin{align*}
    \frac{1}{q_{n + 1}} \left( 2q_n \sqrt{N} +
    \frac{1}{q_{n + 1}} \right)
    &\le \frac{\sqrt{N}}{q_{n + 1}} (2q_n + 1) \\
    &= 2\sqrt{N} \left( \frac{q_n + \half}{q_{n +
    1}} \right) \\
    &< 2\sqrt{N}
  \end{align*}
  as $q_{n + 1} > q_n$.}
\end{proof}
\end{flashcard}

\begin{note*}
  We only care about $p_n \pmod{N}$. We can
  compute this using the recurrence relation $p_n
  =a_n p_{n - 1} + p_{n - 2} \pmod{N}$.
\end{note*}

\begin{example*}
  $N = 12403$. Then $\sqrt{N} = \contf[111, 2, 1,
  2, 2, 7, 1, \ldots]$.
  \begin{center}
    \begin{tabular}{c|c|c|c}
      $p_n \pmod{N}$ & $\gmod{p_n^2}$ &
      factorisation & \gls{B_num}? \\
      \hline
      $111$ & $-82$ & $-2 \times 41$ & \xmark \\
      $223$ & $117$ & $3^2 \times 13$ & \cmark \\
      $334$ & $-71$ & $-71$ & \xmark \\
      $891$ & $89$ & $89$ & \xmark \\
      $2116$ & $-27$ & $3^3$ & \cmark \\
      $3300$ & $166$ & $2 \times 83$ & \xmark \\
      $5416$ & $-39$ & $-3 \times 13$ & \cmark
    \end{tabular}
  \end{center}
  $B = \{-1, 3, 13\}$ (when calculating by hand,
  it is convenient to choose the \gls{fac_base}
  after calculating some potential \glspl{B_num}).
  
  We see $\gmod{223^2} \times \gmod{2116^2} \times
  \gmod{5416^2} = (3^2 \times 13)^2$. We compute
  $223 \times 2116 \times 5416 \equiv 11341
  \pmod{N}$. $3^3 \times 13 \equiv 351 \pmod{N}$.

  Then $\gcdbrack(12403, 11341 \pm 351) = 157,
  79$, which are non-trivial factors of $N$.
\end{example*}
\vspace{-1em}

Generalisations of \gls{fac_base} method include
the ``quadratic sieve'' and ``ǹumber field
sieve'' -- fastest factoring algorithm for very
large $N$.

One can also develop methods to find \gls{prime}
factors of $N$ of particular types. We give the
example of the Pollard $(p - 1)$-method, to find
prime factors $p \divides N$ such that $p - 1$ is
divisible only by small \glspl{prime}.

Suppose $N \in \NN$ is odd and composite, and $N =
p N_0$ with $\gcdbrack(p, N_0) = 1$. Suppose $a
\in \ZZ$, $\gcdbrack(a, N) = 1$. Then $a^{p - 1}
\equiv 1 \pmod{p}$ by
\nameref{fermats_little_thm}. We expect to have
$q^{p - 1} \not\equiv 1 \pmod{N_0}$, so we expect
$\gcdbrack(a^{p - 1} - 1, N)$ to be a non-trivial
factor of $N$. Computing $a^{p - 1} \pmod{N}$
requires knowing $p$.

Pollard's $(p - 1)$-method:
\begin{enumerate}[(1)]
  \item Choose $m \ge 2$, let $k = \lcm(1, 2,
    \ldots, m)$.
  \item Choose $a \ge 2$, test $\gcdbrack(a, N) =
    1$. If not, we have found a non-trivial factor
    of $N$.
  \item Otherwise, compute $a^k \pmod{N}$ by
    repeated squaring, and hope $\gcdbrack(N,
    a^k - 1)$ is a non-trivial factor of $N$.
\end{enumerate}
This method should find those \gls{prime} factors
$p \divides N$ such that every \gls{prime} power
dividing $p - 1$ is $\le m$.

Reason: In this case, $p - 1 \divides k$, so $a^{p
- 1} \equiv 1 \pmod{p}$, hence $a^k \equiv 1
\pmod{p}$, so $p \divides \gcdbrack(N, a^k - 1)$.

\begin{example*}
  $N = 540143$, $m = 8$, $k = \lcm(1, 2, \ldots,
  8) = 840$.

  $a = 2$: $840 = 8(64 + 32 + 8 + 1)$, so $2^k
  \equiv (2^{64 + 32 + 8 + 1})^8 \equiv 53047
  \pmod{N}$. We compute $\gcdbrack(540143, 53046)
  = 421$, a \gls{prime} factor of $N$.

  Note $421 - 1 = 2^2 \times 3 \times 5 \times 7$.
\end{example*}

\begin{note*}
  There exists a polynomial-time algorithm to
  factorise integers (Shor's algorithm), which
  requires a scalable quantum computer.
\end{note*}
\vspace{-1em}

Current research topic: find cryptosystems,
implementable today, which will remain secure even
if such computers become widely available.