In this post i will show some basic facts about different number field and what information they leak about prime factors of $n$ if $\sigma_0(n)$ is known.
We begin with two common facts about quadratic fields:
| Theorem. Every quadratic field is of the form $\mathbb{Q}(\sqrt{d})$, where $d$ is a square-free rational integer not equal to $1$. The ring of integer of a quadratic field $\mathbb{Q}(\sqrt{d})$ is of the form $\mathbb{Z}[\omega]$, where $\omega$ is given by 
 | 
| Theorem [Discriminant and Norm]. The discriminant $D$ of a quadratic field $\mathbb{Q}(\sqrt{d})$ is given by 
 
 | 
The next Theorem gives the complete characterisation of primes in quadratic fields / rings:
| Theorem [Primes characterisation [1]]  Let $\mathbb{Q}(\sqrt{d})$ have the unique factorization property and $D$ the discriminant of the quadratic field, then 
 | 
For the next Theorem, we need the $\chi_d(x)$ character.
- If $x = p$ is an odd natural prime and $p \nmid p$, then $\chi_d(p) = \binom{d}{p}$, whereof $\binom{d}{p}$ is the usual Legendre symbol
- If $x=2$ is not a divisor of $D$, hence, $d \equiv 1\pmod{4}$, then $\chi_d(2) = 1$ if $d \equiv 1\pmod{8}$ and $\chi_d(2) = -1$ if $d\equiv 5\pmod{8}$
- If $x = p^2$ and $p$ is a natural prime not divisor of $D$, then $\chi_d(p^2) = 1$.
| Theorem Let $\mathbb{Q}(\sqrt{d})$ have the unique factorization property and $D$ the discriminant of the quadratic field, then the prime of this field are those numbers $\pi$ whose norm $N(\pi) =n$ has one of the following properties: 
 | 
# Examples #
We neglect divisors of $D$.
1. $d=-1$, $\mathbb{Z}[\omega=\sqrt{-1}]$. Discriminant $D = -4$. Then we have the primes:
- $\zeta = (p+b\omega) \in \mathbb{Z}[\omega]$ and $b=0$, $p \in \mathbb{P}$ and $p \equiv 3\pmod{4}$. 
 Proof: then $N(\zeta) = p^2$. If $p \equiv 3\pmod{4}$, then $\chi_{-1}(p) = \binom{-1}{p} = -1$.
- $\zeta = (a+p\omega) \in \mathbb{Z}[\omega]$ and $a=0$, $p \in \mathbb{P}$ and $b \equiv 3\pmod{4}$.
 Proof: analog
- $\zeta = (a+b\omega) \in \mathbb{Z}[\omega]$ and $\left|a^2+b^2\right| = a^2+b^2 = p \in\mathbb{P}$ and $p\equiv 1\pmod{4}$.
 Proof: It is $N(\zeta) = a^2-db^2 = a^2+b^2 = p$. Only primes of the form $p \equiv 1\pmod{4}$ can be written as the sum of two squares.
- $\zeta = (p+b\omega) \in \mathbb{Z}[\omega]$ and $b=0$, $p \in \mathbb{P}$ and $p \equiv  \{5,7\} \pmod{3}$
 Proof: It is $N(\zeta) = p^2$. $\chi_3(p) = \binom{3}{p} = \binom{p}{3}(-1)^{(p-1)/2}$, hence $p \equiv \{5,7\}\pmod{12}$ to make $\chi_3(p) = -1$.
- $\zeta = (0+p\omega) \in \mathbb{Z}[\omega]$ and $a=0$, $p \in \mathbb{P}$ and $p \equiv \{5,7\}\pmod{12}$  to make $\chi_3(p) = -1$.
 Proof: analog
- $\zeta = (a+b\omega) \in \mathbb{Z}[\omega]$ and $N(a+b\omega) = \left|a^2-3b^2\right| = p \in\mathbb{P}$, hence $p\equiv \{1,11\}\pmod{3}$.
 Proof: $\chi_3(p) = 1 = \binom{3}{p} = \binom{p}{3}(-1)^{(p-1)/2}$, hence $p \equiv \{1,11\}\pmod{12}$ to make $\chi_3(p) = -1$.
- $\zeta = (p+b\omega) \in \mathbb{Z}[\omega]$ and $b=0$, $p \in \mathbb{P}$ and $p \equiv  \{5,11,13,15,17,23\} \pmod{28}$
 Proof: It is $N(\zeta) = p^2$. $\chi_7(p) = \binom{7}{p} = \binom{p}{7}(-1)^{(p-1)/2\cdot 3} = \binom{p}{7}(-1)^{(p-1)/2}$, hence $p \equiv \{5,11,13,15,17,23\} \pmod{28}$ to make $\chi_7(p) = -1$.
- $\zeta = (0+p\omega) \in \mathbb{Z}[\omega]$ and $a=0$, $p \in \mathbb{P}$ and $p \equiv \{5,11,13,15,17,23\} \pmod{28}$ 
 Proof: analog
- $\zeta = (a+b\omega) \in \mathbb{Z}[\omega]$ and $N(a+b\omega) = 
\left|a^2-7b^2\right| = p \in\mathbb{P}$, hence $p\equiv \{1,3,9,19,25,27\} \pmod{28}$.
 Proof: $\chi_7(p) = 1$ if $\chi_7(p) = \binom{7}{p} = \binom{p}{7}(-1)^{(p-1)/2\cdot 3} = \binom{p}{7}(-1)^{(p-1)/2}$, hence $p \equiv \{1,3,9,19,25,27\} \pmod{28}$ to make $\chi_7(p) = 1$.
Note that there are only $8$ different euclidean number fields with $d\equiv 2\pmod{4}$ or $d\equiv 3\pmod{4}$, these are
- $d \equiv 2\pmod{4}$: $d = -2, 2, 6$
- $d \equiv 3\pmod{4}$: $d = -1, 3, 7, 11, 19$
# Factoring N=PQ #
Let $\mathcal{A}(d,N)$ be the algorithm that on input $N$ counts the factors in $\mathbb{Z}[\sqrt{d}]$.
Let $N = PQ$ and $\mathcal{A}(-1,N) = 3$, i.e., $N = PQ = \pi_1\pi_2\pi_3$. So one of the natural prime number $P$ and $Q$ must also be a prime in $\mathbb{Z}[\sqrt{-1}]$ and it hence must be of the form $3+4\mathbb{Z}$. The other one is, w.l.o.g., equal to $p_2p_3 = (a+b\omega)(a-b\omega) = a^2+b^2$ and hence must be of the form $1+4\mathbb{Z}$. Likewise, we can use the information $\mathcal{A}(3,N)$ and $\mathcal{A}(7,N)$ in a similar way.
Problem 1. How to combine these results without the need to test all possible combinations? Sure, one would use the chinese remainder theorem, but is the prime which is congruent to $r_{4,1}$ modulo $4$ congruent to $r_{3,1}$ or $r_{3,2}$?
Problem 2. For a ring with larger $d$, i.e., $\mathbb{Z}[\sqrt{7}]$ one gets several possible residues, i.e., $\{1,3,9,19,25,27\}$ or $\{5,11,13,15,17,23\}$ as shown in the example. One could combine this information with $\mathbb{Z}[\sqrt{-1}]$, which reduces the solution modulo $7$ to three. But in general, the number of solution increases as $d$ increases. How can one reduce the number of possible solutions that arise?
Example: $N = PQ = 29\cdot 43 = 1247$ and we want to determine $P$ and $Q$. It is $\mathcal{A}(-1,1247) = 3$. Hence either prime $P$ is $1+4\mathbb{Z}$ and $Q$ is $3+4\mathbb{Z}$ or vice versa. Actually, this is no new information since $N \pmod{4} \equiv 3$ tells us the same. Only the case $\mathcal{A}(-1,1247) \in \{2,4\}$ would have telt us new information.
Next $\mathcal{A}(7,1247) = 3$. Hence one prime is equal to $\{1,3,9,19,25,27\}$ modulo $28$ and the other $\{5,11,13,15,17,23\}$. Which actually is not new at all.
Next $\mathcal{A}(3,1247) = 2$. Hence both factor $P$ and $Q$ are congruent to either $5$ or $7$ modulo $12$.
Lets combine the results so far: W.l.o.g.
We get the useful information of $P$ and $Q$ modulo $4$. And from the other number fields $\mathbb{Q}(\sqrt{d})$ we get around $(d-1)/2$ possible values for $P$ and $Q$ each.
But this reduced size of information we get already for another equally important number, i.e., $P+Q$, via a different and more or less trivial approach:
$PQ = N$ and $P+Q = S$, then $$P^2 + N = PS \Leftrightarrow P^2 - PS + N \equiv 0\pmod{d}$$.
Only for around $(d-1)/2$ values for $S$, this quadratic congruence has a solution. For example in the case $N = 1247$ it is $S \equiv \{1,2,5,6\} \pmod{7}$. But for large integers, this reduction is not sufficient enough.
# Amplification #
Suppose $N=PQ$ for odd primes $P$ and $Q$. The number of prime factors of $N$ in $\mathbb{Q}[\sqrt{-1}]$ give non-trivial information whenever the answer is, that $N$ has either $2$ or $4$ prime factors in $\mathbb{Z}[\sqrt{-1}]$. For $3$ factors, one gets the same information as from $N\pmod{4}$. It is often the case in cryptography, that already a single bit of non-trivial information about a secret can be amplified to gain more information or often to break to whole cryptosystem. 
Is this case similar, i.e., is it possible to amplify this information to completely factor the integer $N$?
[1] S.I.Borewicz and I.R. Safarevic, Zahlentheorie, Birkhäuser Verlag Basel
[2] Prime numbers in quadratic fields. Published in, CWI Quarterly, Vol. 7, No. 4, p.367-394. ISSN 09225366. Author, T.J. Dekker. Date, 1994.
 
No comments:
Post a Comment