The Factorization Of F7: Part 1 September 14, 2010

In the seventeenth century, the French jurist and amateur mathematician Pierre de Fermat investigated numbers of the form 22n+1, now known as Fermat numbers: 3, 5, 17, 257, 65537, 4294967297, 18446744073709551617, 340282366920938463463374607431768211457, … (Sloane’s A000215). Fermat noted that the first five numbers in the sequence, F 0 to F 4 , were prime, and conjectured that all the remaining numbers in the sequence were prime. He was wrong, as Leonhard Euler proved in 1732 with the factorization of F 5 = 641 · 6700417; then Thomas Clausen factored F 6 = 274177 · 67280421310721 in 1855. Those first five numbers are the only members of the sequence that are known to be prime, and it now conjectured that all the remaining Fermat numbers are composite. There is something of a cottage industry among mathematicians and programmers to find new factors of Fermat numbers; you can find the current status of that friendly competition at http://www.prothsearch.net/fermat.html.

On September 13th, 1970, Michael A. Morrison and John Brillhart factored the seventh Fermat number: F 7 = 227+1 = 2128+1 = 340282366920938463463374607431768211457 = 59649589127497217 · 5704689200685129054721. Their feat inaugurated the modern culture of factorization by computer, and their now-deprecated method was the direct predecessor of the quadratic sieve that is today the most powerful factorization method available for personal computers, able to factor numbers up to about a hundred digits (the most powerful factoring algorithm known is the number field sieve, which can factor numbers up to about 150 digits, but requires a large cluster of computers). On the fortieth anniversary of their achievement we recreate their computation in this exercise and the next. We are following their description of their work in “A Method of Factoring and the Factorization of F 7 ” in Mathematics of Computation, Volume 29, Number 129, January 1975, Pages 183-205, available on-line at http://www.ams.org/journals/mcom/1975-29-129/S0025-5718-1975-0371800-5/S0025-5718-1975-0371800-5.pdf.

The math behind the method dates to Fermat, who noted that a factor of N could be found when x2 – N was a perfect square; thus, Fermat’s factorization method started at the square root of N and worked x backwards until it reached a solution, as we did in a previous exercise. Early in the twentieth century, Maurice Kraitchik, a Ukrainian emigré and recreational mathematician living in Paris, observed that Fermat’s formula could be written as x2 ≡ y2 (mod N). Then, in 1931, D. H. Lehmer and R. E. Powers discovered that the convergents of the continued fraction representation of the square root of N provided a suitable x and y, but their method was considered unusable because the calculations were too tedious and time-consuming for manual calculation, and the method frequently failed to find a factorization. In 1965, Brillhart realized that the tedious calculations were fit for computer calculation, and he and Morrison spent the summer of 1970 developing their method.

The continued fraction method works in two stages, a first stage that computes successive convergents of the continued fraction representing the square root of the number being factored, and a second stage that performs linear algebra on the factors of the convergents and computes a factor of the original number. Morrison and Brillhart, using an IBM 360/91 mainframe computer at UCLA, coding in PL/1 with assembly-language libraries for large-integer processing, divided the work into programs RESIDUE and ANSWER to make it fit into the machine. We will likewise divide the work into two exercises, looking at RESIDUE today and ANSWER in the next exercise.

We saw continued fractions previously, in the exercise on the golden ratio. Square roots can be computed by continued fractions, and are always periodic; we’ll refer to the article by Morrison and Brillhart for the math and skip directly to their algorithm to expand √N, or √kN for some suitable multiplier k ≥ 1, into a simple continued fraction:

Initialize A −2 = 0, A −1 = 1, Q −1 = kN, r −1 = g, P 0 = 0, Q 0 = 1, and g = ⌊√kN⌋. For each n from 0 to a user-specified limit: Compute q n and r n using the formula g + P n = q n Q n + r n , where 0 ≤ r n < Q n .

and r using the formula g + P = q Q + r , where 0 ≤ r < Q . Compute A n (mod N) using the formula A n ≡ q n A n−1 + A n−2 (mod N).

(mod N) using the formula A ≡ q A + A (mod N). Compute g + P n+1 using the formula g + P n+1 = 2g − r n .

using the formula g + P = 2g − r . Compute Q n+1 using the formula Q n+1 = Q n−1 + q n (r n −r n−1 ).

Some of the Q n must be factored. That “some” sounds odd. The idea is to factor those Q n that have all their prime factors less than some pre-specified limit, said primes having a Jacobi symbol of 0 or 1 indicating that they are quadratic residues of kN and thus potential factors; we saw the Jacobi symbol in the exercise on modular arithmetic. The procedure is to choose a limit, compute a factor base of those primes that are potential factors, then use trial division to determine if the Q n should be added to the out-going list; Morrison and Brillhart call such a Q n an A − Q pair.

Morrison and Brillhart, based on Lehmer and Powers before them, give this example: let N = 13290059 and k = 1; then g = 3645. Then selected results from the expansion of √kN are given below:

n g+P n Q n q n r n A n−1 (mod N) Q n factored −1 … 13290059 … 3645 0 … 0 3645 1 3645 0 1 … 1 7290 4034 1 3256 3645 2 · 2017 2 4034 3257 1 777 3646 3257 3 6513 1555 4 293 7291 5 · 311 4 6997 1321 5 392 32810 1321 5 6898 2050 3 748 171341 2 · 52 · 41 10 6318 1333 4 986 6700527 31 · 43 22 4779 4633 1 146 5235158 41 · 113 23 7144 226 31 138 1914221 2 · 113 26 5622 3286 1 2336 11455708 2 · 31 · 53 31 6248 5650 1 598 1895246 2 · 52 · 53 40 6576 4558 1 2018 3213960 2 · 43 · 53 52 7273 25 290 23 2467124 52

The output from RESIDUE is a list of the following items for each Q n that could be factored over the factor base: n, A n−1 , Q n , and a list of the odd-power primes dividing Q n (thus, factors like 52 of Q 31 are omitted); forty years ago, the output was given on punched cards! In the example above, the rows for Q 5 , Q 10 , Q 22 , Q 23 , Q 26 , Q 31 , and Q 40 should appear in the output, based on a factor base containing 2, 5, 31, 41, 43, 53, and 113. Note that 5 is part of the factor base even though it doesn’t appear as an odd power in any of the Q n .

Your task is to write the RESIDUE function that computes a factor base and returns a list of factored Q n ; we will complete the factorization of F 7 in the next exercise. Apply your function to F 7 using a factor base of the first 2700 suitable primes less than 60000 and a multiplier of 257. When you are finished, you are welcome to read or run a suggested solution, or to post your own solution or discuss the exercise in the comments below.