MPQS again (after a few months to think about it...)
- I've been experimenting with MPQS, and seem to have spotted a
disadvantage in the merging of partials and double-partial relations
to create full relations. I'd be pleased if you could advise me or
cast any light on this procedure.
Here's what I'm doing, just using a single polynomial (effectively
N is composite, suspected of being composed of just 2 large primes ...
S = int(sqrt(N))
T = int(sqrt(N*2))
R = (S+1)^2 (mod N)
A = 1
B = 2 * S
C = R - 1 - B
U(x) = A*x+B
W(x) = A*A + A*B*x + C
F is a factor base 2 to 131071 (because I'm using UBASIC, and it's
built in !!)
I start with a suspected large prime LP = (T-S), and test if probable
prime with bases 3 to 19, if not then LP = LP - 1 and try again until
I found a prime.
Solve W(x) == 0 mod LP, obtaining two roots x1 and x2. If no roots
are found, then go back to previous step of LP selection.
If I got roots, then plug the roots into U(x) and W(x), to arrive at
two sets of values for U(x), W(x) with the LP common to both W(x).
U(x1) == W(x1) where W(x1) = some small primes SP1, my large prime LP
and maybe some other large primes / composites QP1
U(x2) == W(x2) where W(x2) = some small primes SP2, my large prime LP
and maybe some other large primes / composites QP2
Then I look at QP1 and QP2 ...
If QP1 is 1, then keep.
If QP1 is a large prime LESS THAN LP, then keep.
Otherwise reject and go back to LP selection stage above.
Ditto for QP2 ...
So if I'm here, I now have the following possibilities ...
U(x1) * U(x2) == SP1 * SP2 * LP * LP * 1 * 1 ==> whoopee, I got a
U(x1) * U(x2) == SP1 * SP2 * LP * LP * 1 * QP2 ==> okay, I got a
partial relation with QP1 less than LP
U(x1) * U(x2) == SP1 * SP2 * LP * LP * QP1 * QP2 ==> hmm, I got a
double partial relation with QP1 and QP2 less than LP
As I collect these, full relations I store to disk, and the partials
and double partials I analyse further substituting each QP1 and QP2
into LP, and running the above procedures again ... the goal being to
each time reduce the QP1 and QP2 until they eventually fall within my
factor base F and become full relations.
So after a while, I got a disk file of full relations. The magnitude
of numbers I'm testing mean I don't need any Gaussian or Lanczos
elimination ... usually I load into a spreadsheet, sort by different
columns and the potentials make themselves apparent pretty quickly.
And here in comes the crunch ... combining any two full relations is
supposed to give a factor in 50% of the cases
When x2 - y2 = kN, and x <> y mod N, we get a factor
When x2 - y2 = kN, and x == y mod N, we don't get a factor
But my test results are leading me to believe that every time I
combine two partials to make one full relation, or combine two double-
partials to make one partial relation, effectively I'm again halving
the change that I will eventually find a factor.
So if I used 4 sets of partial relations, combine to get 2 full
relations, then combine to get an x2 and y2, I only have 12.5% chance
of getting a factor, rather than 50% !!
Wose still, if I used 8 sets of double-partial relations, combine to
get 4 partial relations, combine to get 2 full relations, then
combine to get an x2 and y2, I only have a 0.78125% chance of getting
a factor !!
Am I missing something here, or is my evaluation correct. If the
latter is true then any benefit of using PMPQS or PPMPQS is surely
outweighed by the fact that the eventual chance of finding a factor
is not 50% but maybe 12.5% or even as low as 0.78125% ?
> Am I missing something here, or is my evaluation correct. If theIt's conventional to "divide" the quadratic residue by the large prime
> latter is true then any benefit of using PMPQS or PPMPQS is surely
> outweighed by the fact that the eventual chance of finding a factor
> is not 50% but maybe 12.5% or even as low as 0.78125% ?
once relations have been combined in this manner. "Divide", of course,
means "multiply by the multiplactive inverse". Having performed this
operation, discard both identical copies of the large prime from the
You should find that this returns the probability back to 50%. Think
- Your claim is that partials and partial-partials yield
a little full relations. It is right in a sense.
But experiments show that PMPQS or PPMPQS yield more full relations
than MPQS for over 70 digits.
You have to notice that the probability yielding full relations
>from partials is not lenear to the number of partials.Have you ever heard about birthday paradox?