Number Theoretic Algorithms 2025/26

Number Theoretic Algorithms

Lectures and exercises:

   (16.2.) Course motivation: description of standard algorithms for factorization of composite numbers and related problems. 1. Relationship between RSA and factorization. Calculation of RSA public composit number decomposition using a private key.

   (23.2.) Factorization algorithm with an oracle for finding an RSA private key. 2. Pollard's rho method. Period and preperiod of sequences given by functions, Floyd's method for finding cycles.
   Practicals: Compatibility of polynomial functions. Period and preperiod of affine functions on Z_p, group of affine transformations on a line.

   (2.3.) Estimates of the complexity of algorithms of trial division. Pollard's rho method and Pollard-Floyd algorithm. Period and preperiod of a function given by x²

   (9.3.) 3. B-powersmooth numbers. Largest B-powersmooth elements. Outline of Pollard's (p-1) method. Time complexity of the first version Pollard's (p-1) method.
   Practicals: Calculation of B-powersmooth elements for specific small B, determination of their number and asymptotic behavior. Fermat numbers, proof of primality of F₄ and compositeness of F₅.

   (16.3.) Probability of success of the second version Pollard's (p-1)-method. Two-phase version of the Pollard's (p-1) method for one large prime. Congruences on rings Z_N[x], the field extension of the field F_p of degree 2 and the idea of (p+1)-method.

   (23.3.) Formulation and correctnes of (p+1)-algorithm. 4. Lenstra's elliptic-curve algorithm. Partial addition on the set Z_N² for general N and the group E_a,b(Z_p) for a prime number p. Collision search when computing the operation on E_a,b(Z_N).
   Practicals: If the collision-search algorithm over Z_N doesn't find a proper divisor, then \pi_p(A+B) = \pi_p(A) +\pi_p(B) for each p|N. Operations on the groups E_a,b(Z_p) for a prime p.

   (30.3.) Relations between powers of an element of E_a,b(Z_N) and the group power of the proejction in E_a,b(Z_N) for a prime divisor p of N. Lenstra's ECM algorithm.
   Practicals: Calculation and finding colisions of addition in Z_N².

   (13.4.) Parallel inversion algorithm for ECM. 5. Roots modulo n. The Pohlig-Hellman reduction and idea of the Tonelli-Shanks algorithm for computing the square root modulo an odd prime.

   (20.4.) Correctness and time complexity of Tonelli-Shanks algorithm. Finding roots of polynomials modulo an odd prime and square roots modulo a power of a prime using Hensel's lifting.
   Practicals: Square root calculation modulo a prime number using the Tonelli-Shanks algorithm. Finding roots of quadratic and general polynomials modulo a prime number.

   (27.4.) Square root calculation modulo a composite number. An attack on RSA using a deterministic algorithm for finding square roots modulo the product of two distinct primes. 6.Dixon's faktorization and CFRAC. Basis of faktorization and smooth relations. Scheme of Dixon's faktorization.

   (4.5.) Calculation of the linear phase of Dixon’s factorization. Continued fractions and convergent fractions, an algorithm for calculating the continued fraction expansion of a square root.
   Practicals: Calculation of the continued fraction of a square root. Finding the value of a periodic continued fraction. Description of the set of bad solutions of the linear phase of Dixon’s factorization.

   (11.5.) Generating relations and formulation of the CFRAC algorithm. 7. Quadratic sieve. Finding smooth relations using sieving, a simple version.
   Practicals: Bad solutions in linear phase of Dixon’s factorization form a subspace.

   (18.5.) Sieving higher powers, and finding partial relations. 8. Discrete logarithm. The discrete logarithm problem. The Pohlig-Hellman reduction, the baby-steps algorithm, and the giant-steps algorithm. Factorization using an oracle solving the generalized discrete logarithm problem in the group Z_N^*.
   Practicals: Structure of involutions in the group Z_N^*, properties of the subgroup K and searching of proper divizor of N.