Dixon's factorization method

In number theory, Dixon's factorization method (also Dixon's random squares method or Dixon's algorithm) is a general-purpose integer factorization algorithm; it is the prototypical factor base method. Unlike for other factor base methods, its run-time bound comes with a rigorous proof that does not rely on conjectures about the smoothness properties of the values taken by polynomial.

The algorithm was designed by John D. Dixon, a mathematician at Carleton University, and was published in 1981.

Basic idea

Dixon's method is based on finding a congruence of squares modulo the integer N which is intended to factor. Fermat's factorization method finds such a congruence by selecting random or pseudo-random ''x'' values and hoping that the integer ''x''² mod N is a perfect square (in the integers):

:$x^2\equiv y^2\quad(\hboxN),\qquad x\not\equiv\pm y\quad(\hboxN).$

For example, if , (by starting at 292, the first number greater than and counting up) the is 256, the square of 16. So . Computing the greatest common divisor of and ''N'' using Euclid's algorithm gives 163, which is a factor of ''N''.

In practice, selecting random ''x'' values will take an impractically long time to find a congruence of squares, since there are only squares less than ''N''.

Dixon's method replaces the condition "is the square of an integer" with the much weaker one "has only small prime factors"; for example, there are 292 squares smaller than 84923; 662 numbers smaller than 84923 whose prime factors are only 2,3,5 or 7; and 4767 whose prime factors are all less than 30. (Such numbers are called '' B-smooth'' with respect to some bound ''B''.)

If there are many numbers $a_1 \ldots a_n$ whose squares can be factorized as $a_i^2 \mod N = \prod_^m b_j^$ for a fixed set $b_1 \ldots b_m$ of small primes, linear algebra modulo 2 on the matrix $e_$ will give a subset of the $a_i$ whose squares combine to a product of small primes to an even power — that is, a subset of the $a_i$ whose squares multiply to the square of a (hopefully different) number mod N.

Method

Suppose the composite number ''N'' is being factored. Bound ''B'' is chosen, and the ''factor base'' is identified (which is called ''P''), the set of all primes less than or equal to ''B''. Next, positive integers ''z'' are sought such that ''z''² mod ''N'' is ''B''-smooth. Therefore it can be written, for suitable exponents ''a_i'',

: $z^2 \text N = \prod_ p_i^$

When enough of these relations have been generated (it is generally sufficient that the number of relations be a few more than the size of ''P''), the methods of linear algebra can be used (for example, Gaussian elimination) to multiply together these various relations in such a way that the exponents of the primes on the right-hand side are all even:

: $$

This yields a congruence of squares of the form which can be turned into a factorization of ''N'', This factorization might turn out to be trivial (i.e. ), which can only happen if in which case another try has to be made with a different combination of relations; but a nontrivial pair of factors of ''N'' can be reached, and the algorithm will terminate.

Pseudocode

input: positive integer $N$
output: non-trivial factor of $N$

Choose bound $B$
Let $P := \$ be all primes $\leq B$

repeat
for $i=1$ to $k+1$ do
Choose 0 such that $z_i^2 \text N$ is $B$-smooth
Let $a_i := \$ such that $z_i^2 \text N = \prod_ p_j^$
end for

Find non-empty $T \subseteq \$ such that $\sum_ a_i \equiv \vec \pmod$
Let $x := \left(\prod_ z_i\right) \text N$
$y := \left(\prod_ p_j^ \right) \text N$
while $x \equiv \pm y \pmod$

return $\gcd(x+y, N)$

Example

This example will try to factor ''N'' = 84923 using bound ''B'' = 7. The factor base is then ''P'' = . A search can be made for integers between $\left\lceil\sqrt \right\rceil = 292$ and ''N'' whose squares mod ''N'' are ''B''-smooth. Suppose that two of the numbers found are 513 and 537:

: $513^2 \mod 84923 = 8400 = 2^4 \cdot 3 \cdot 5^2 \cdot 7$

: $537^2 \mod 84923 = 33600 = 2^6 \cdot 3 \cdot 5^2 \cdot 7$

So

: $(513 \cdot 537)^2 \mod 84923 = 2^ \cdot 3^2 \cdot 5^4 \cdot 7^2 \mod 84923$

Then

$\begin & (513 \cdot 537)^2 \mod 84923 \\ & = (275481)^2 \mod 84923 \\ & = (84923 \cdot 3 + 20712)^2 \mod 84923 \\ & =(84923 \cdot 3)^2 + 2\cdot(84923\cdot 3 \cdot 20712) + 20712^2 \mod 84923 \\ & = 0 + 0 + 20712^2 \mod 84923 \end$

That is, $20712^2 \mod 84923 = (2^5 \cdot 3 \cdot 5^2 \cdot 7)^2 \mod 84923 = 16800^2 \mod 84923.$

The resulting factorization is 84923 = gcd(20712 − 16800, 84923) × gcd(20712 + 16800, 84923) = 163 × 521.

Optimizations

The quadratic sieve is an optimization of Dixon's method. It selects values of ''x'' close to the square root of such that ''x²'' modulo ''N'' is small, thereby largely increasing the chance of obtaining a smooth number.

Other ways to optimize Dixon's method include using a better algorithm to solve the matrix equation, taking advantage of the sparsity of the matrix: a number ''z'' cannot have more than $\log_2 z$ factors, so each row of the matrix is almost all zeros. In practice, the block Lanczos algorithm is often used. Also, the size of the factor base must be chosen carefully: if it is too small, it will be difficult to find numbers that factorize completely over it, and if it is too large, more relations will have to be collected.

A more sophisticated analysis, using the approximation that a number has all its prime factors less than $N^$ with probability about $a^$ (an approximation to the Dickman–de Bruijn function), indicates that choosing too small a factor base is much worse than too large, and that the ideal factor base size is some power of $\exp\left(\sqrt\right)$.

The optimal complexity of Dixon's method is
:$O\left(\exp\left(2 \sqrt 2 \sqrt\right)\right)$
in big-O notation, or
:L_n /2, 2 \sqrt 2/math>
in L-notation.

References

{{Number theoretic algorithms

Integer factorization algorithms
Squares in number theory