Factoring with Hints

: We introduce a new approach to (deterministic) integer factorisation, which could be described in the cryptographically fashionable term of “factoring with hints”: we prove that, for any ϵ > 0, given the knowledge of the factorisations of O ( N 1/3+ ϵ ) terms surrounding N = pq product of two large primes, we can recover deterministically p and q in O ( N 1/3+ ϵ ) bit operations. This shows that the factorisations of close integers are non trivially related and that consequently one can expect more results along this line of thought.


Introduction
The problem of quickly factoring large integers is central in cryptography and computational number theory. The current state of the art in factoring large integers N, the Number Field Sieve algorithm [5,6], stems from the earlier Quadratic Sieve [11] and Continued Fraction [9]. We should also mention the Elliptic Curve Method by H. Lenstra [7], which is particularly useful when N has a small prime factor p. They are all probabilistic factoring algorithms.
These (︀ e c(log p) 1/2 (log log p) 1/2 )︀ , for some constant c (not always the same). The first two strive to find nontrivial arithmetical relations of the form x 2 ≡ y 2 (mod N) (which lead to a nontrivial factor by computing gcd(N, x + y)), whereas the third is a generalisation of Pollard's p − 1 method [10], involving computations in some elliptic curve group instead of Z/N. We should note, however, that there exist probabilistic algorithms with proved running time O (︀ exp((1 + o(1))(log N) 1/2 (log log N) 1/2 ) )︀ [8]. As far as the author is aware, no such rigorous bound exists in the form O (︀ exp (︀ (log N) c )︀)︀ for c < 1/2. Similarly, no deterministic subexponential algorithm is currently known, the best one being Shanks' square form factorization SQUFOF which runs in O(N 1/4+ϵ ), or in O(N 1/5+ϵ ) on the Extended Riemann Hypothesis. Recently Hittmeir [4] has somewhat improved Shanks' unconditional result to O )︀ for some explicit constant C > 0. This is currently the best unconditional deterministic factoring algorithm.
In this work, we want to introduce a new paradigm in integer factorisation, one that doesn't supersede previous efforts, but rather complements it by showing that the factorisation of a small number of consecutive integers is related in a nontrivial way. Therefore, if numbers close to a product N = pq of two primes are easier to factor than N itself, we can expect a reduction in the time to factor N. Here we content ourselves with a first nontrivial result. ) bit operations mentioned in the theorem essentially involve the factorisations of the first O(N 1/3+ϵ ) integers, where similarly the factors p, q of a RSA modulus would not appear. Thus we can loosely say that our result proves that the factorisation of N = pq is related to the factorisations of the O(N 1/3+ϵ ) integers closest to it and to the O(N 1/3+ϵ ) smallest positive integers. The structure of this article will be as follows. After recalling notations (Section 2) we explain the main idea of the method: finding a close enough approximation to the value of a multiplicative function σ 1/2 (N) and deduce a corresponding approximation a to p dividing N (Section 3).
In Section 4, we use generating functions (products of zeta functions) and their inverse Mellin transforms when multiplied by an appropriate kernel to define the quantities that we will be led to evaluate: Fν(x) and Pν(x).
In Section 6, we obtain a different expression for Fν(x) by making use of the functional equation of the generating function. We discover that the new expression can be easily computed save for two families of oscillating series.
Finally, in Section 7, we show that by computing around N 1/3+ϵ terms in the oscillating series, each of which can be done in polynomial time, one can get a block approximation to σ 1/2 (n) for n = N together with about N 1/3+ϵ of its neighbours. Therefore, knowing the factorisation of these neighbours would allow us to find an approximation to σ 1/2 (N) and therefore to a divisor p of N.

Notations
In this work N = pq where p, q are distinct prime numbers. We follow standard notations in analytic number theory and indeed a classical reference on the subject is the treatise of Davenport [3]. In particular, we will make liberal use of the O notation in Landau's as well as Vinogradov's form (≪). Hence, for instance means that g(u) > 0 and |f (u)|/g(u) is bounded above (usually as u → ∞ or u → 0 + , depending clearly on the context). Unless specified, the implied constants are absolute.
Any sum such as ∑︁ abc=n a 2 bc is to be understood as taken over all positive integers a, b, c such that abc = n. We also define so that for instance the number of divisors of n is ∑︀ d|n 1 and its sum of divisors ∑︀ d|n d. We also write s = σ+it, with σ, t ∈ R, according to the established convention in analytic number theory.
Finally, we write a . = b to signify that a = b + terms that are not necessarily negligible in size but can be computed in polynomial time (in the bit size of the challenge to be factored), so that they are negligible in time.

Choice of a Multiplicative Function
Our goal will be to compute σ 1/2 (N) = 1 + If so, then one gets an approximation A to Let us study the function in (0, ∞) The function f is convex in (0, 3 √ N) with a unique critical point (and therefore absolute minimum) at z = √ N.
We will suppose that N = pq with p < √ N < q. In fact, we may as well suppose that p ≤ √ N − 2 by inspection.
To see that such a exists, notice that f is decreasing in (0, and therefore p = ⌊a⌉, the integer nearest to a.

Choice of a Test Function
Consider the Riemann zeta function ζ (s) = ∑︁ n≥1 1 n s , convergent for ℜs > 1. Then absolutely convergent whenever ℜs > 3/2. Now let for ν ∈ N¹ with ν ≥ 2, The Mellin transform of f is by definition the beta function hence by the inverse Mellin transform², 1 2πi 1 In fact, ν doesn't need to be an integer, but it simplifies calculations to assume so.
2 We will also use the notation Call the right-hand side is a piecewise polynomial (given by a different expression between consecutive integers).

Functional Equation of the Riemann Zeta Function
The Riemann zeta function is a meromorphic function having a simple pole with residue 1 at s = 1 and satisfying the functional equation (given here in asymmetric form)
Putting it together we obtain 1 2πi Remark that if k ≥ 1, since |Γ(s)| < e −π|t|/2 |t| −k−1 on ℜs = −k−1/2, the left-hand side of the previous expression is analytic for ℜy > 0 and continuous up to ℜy = 0. Therefore the previous formula for k ≥ 1 holds in the closed half-plane ℜy ≥ 0. With this explicit expression we find that 1 2πi In this last expression, the only terms that we cannot calculate explicitly are the two inner series in (4) and (5).

Factoring with Hints
We show here, given 0 < ϵ < 1, how to calculate in O(N 1/3+ϵ ) bit operations, assuming the factorisation knowledge of O(N 1/3+ϵ ) integers immediately around N = pq, the quantity σ 1/2 (N) = , which is sufficient to derive p and q. In the following, we suppose that ν is a fixed (in terms of N) integer with ν ≥ 20/3ϵ. The work done in the previous section allows us to write √ xn n ν/2+m/2 (6) In fact, the series without the oscillating exponential terms can be calculated in polynomial time to within O(x −ν ) by methods of [1,2] because Having fixed ϵ > 0, we approximate the series and therefore (6) and (7) can be replaced by the corresponding expressions where the inner sums in n are truncated at n ≤ x 1/3+ϵ/2 with a total error to within O(x −ν ). This can be done by calculating a ∈ [0, 2π) such that a ≡ √ xn 1 n 2 (mod 1) with error ≪ x −ν and then using a Maclaurin expansion of the exponential truncated after ν log x terms. To summarise, we can compute the right-hand side of (6), (7)  ). This leads to an approximation of σ 1/2 (N) within N ν/3−(ν−1)(1/3+ϵ) ≪ N −1 since ϵν ≥ 7/3 . Recovering p | N is explained in Section 3.

Final Considerations
Our method relates the factorisations of O(N θ+ϵ ) numbers close to N with the factorisations of the first O(N θ+ϵ ) integers. The result given here (with θ = 1/3) is rather crude, because the series (6) and (7) were approximated by trivially computing the partial sum (8). An avenue for improvement would be in the selection of a better suited test function or another (or more than one) multiplicative function.