1

What's the approximate computational cost of factoring $N=u^2-v^2$ when $v\ll u$? Assume $u$ and $v$ are unknown integers, with $u$ large enough that $n$ has the size of an RSA modulus.

I suspect there will be at least four ranges of $v$ as it grows, and wonder where the cutoffs are:

  1. $v$ is small enough that for $u_0=\left\lceil\sqrt N\,\right\rceil$ , ${u_0}^2-n$ is an integer, thus $u=u_0$ , $v=\sqrt{u^2-N}$ , and $n=(u-v)(u+v)$.
  2. Fermat factoring and simple improvements is competitive. The baseline tries $i$ sequentially until $(u_0+i)^2-N$ is a square, thus $u=u_0+i$ , and the rest as above.
  3. A method based on the Coppersmith theorem is best. I didn't knew it existed before this answer.
  4. GNFS becomes king.

Update: I find that (1) works for $v$ up to $\sqrt2\,N^{1/4}$.

fgrieu
  • 140,762
  • 12
  • 307
  • 587
  • 1
    In the linked answer the Coppersmith theorem is an overkill. The Fermat method succeeds immediately, I added my answer there. – Fractalice Jun 05 '21 at 08:45
  • 1
    Around step 3 you can also try Shank's Square Root Factorization, which should be strictly better than Fermat's, but for large integers worse than the "bigger guns" (GNFS, and possibly variations of the quadratic sieve) – tylo Jun 05 '21 at 16:17
  • @tylo: I agree SQUFOF would go after 2 if there was not 3. But with 3, I have no idea if there remains a spot where it's best. – fgrieu Jun 05 '21 at 21:30
  • @fgrieu Also integers need to be quite large, before GNFS becomes actually better than other methods. At least a couple of hundred bits in length. I can't recall any source, but plotting the L notation shows that it's quite bad for small numbers. That's not an issue for today's RSA lengths, though. – tylo Jun 06 '21 at 11:40
  • 1
    It is 100% overkill. The original question sounded like homework. The bivariate method from 2009/318 looks interesting, though I don't know if you can realistically get to 1/3. – Samuel Neves Jun 07 '21 at 00:04

1 Answers1

2

Fermat method succeeds immediately when $|p-q| = 2v < N^{1/4}$.

There is a paper claiming polynomial time factoring when $|p-q| = 2v < N^{1/3}$ using Coppersmith-based methods.

Fractalice
  • 3,087
  • 12
  • 10